Skip to content

Commit

Permalink
update check for malicious unicode
Browse files Browse the repository at this point in the history
  • Loading branch information
maltfield committed Aug 7, 2024
1 parent 924ca98 commit ece61e3
Showing 1 changed file with 43 additions and 6 deletions.
49 changes: 43 additions & 6 deletions .github/workflows/unicode_warn.yml
Original file line number Diff line number Diff line change
@@ -1,27 +1,34 @@
################################################################################
# File: .github/workflows/unicode_warn.yml
# Version: 0.1
# Version: 0.2
# Purpose: Detects Unicode in PRs and comments the results of findings in PR
# * https://tech.michaelaltfield.net/bidi-unicode-github-defense/
# Authors: Michael Altfield <[email protected]>
# Created: 2021-11-20
# Updated: 2021-11-20
# Updated: 2024-08-07
################################################################################
# in main branch
name: malicious_sanity_checks

# execute this workflow automatically on all PRs
on: [pull_request]
on:
pull_request_target:
types: [opened, edited, synchronize, reopened, unlocked]

jobs:

unicode_warn:

runs-on: ubuntu-latest
container: debian:bullseye-slim


permissions:
issues: write
pull-requests: write

steps:

- name: Prereqs
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Expand All @@ -34,12 +41,31 @@ jobs:
id: unicode_diff
run: |
set -x
git config --global --add safe.directory .
git config --global --add safe.directory "$(pwd)"
git branch -a
git log
diff=`git diff --unified=0 ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | grep -E "^[+]" | grep -Ev '^(--- a/|\+\+\+ b/)'`
if [ $? -ne 0 ]; then
# there was an error in the diff
human_result="WARNING: git diff failed!"
echo "${human_result}"
exit 1
fi
unicode_diff=`echo -n "${diff}" | grep -oP "[^\x00-\x7F]*"`
unicode_grep_exit_code=$?
echo "${unicode_diff}"
unicode_diff_hexdump=`echo -n "${unicode_diff}" | hd`
if [ $? -ne 0 ]; then
# there was an error in the hexdump
human_result="WARNING: hexdump failed!"
echo "${human_result}"
exit 1
fi

echo "${unicode_diff_hexdump}"

# did we select any unicode characters?
Expand Down Expand Up @@ -75,3 +101,14 @@ jobs:
repo: context.repo.repo,
body: "${{ env.UNICODE_HUMAN_RESULT }}"
})
# Exit with or without error
- name: Exit with or without error
run: |
if [[ "${{ env.UNICODE_HUMAN_RESULT }}" | grep -i "WARNING" ]]; then
exit 1
else
exit 0
shell: bash {0}

0 comments on commit ece61e3

Please sign in to comment.