-
Notifications
You must be signed in to change notification settings - Fork 444
fix(security): replace curl|sh installer pipes with download+verify (RGS-018) #43716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
a357996
3eca684
98a1883
d265668
0821ca9
5c2c9d0
efc3075
157710a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,8 +20,15 @@ strict: true | |
| timeout-minutes: 20 | ||
| steps: | ||
| - name: Install Ollama | ||
| env: | ||
| OLLAMA_VERSION: "0.31.1" | ||
| OLLAMA_INSTALL_SHA256: "25f64b810b947145095956533e1bdf56eacea2673c55a7e586be4515fc882c9f" | ||
| run: | | ||
| curl -fsSL https://ollama.com/install.sh | sh | ||
| echo "Downloading Ollama v${OLLAMA_VERSION} install script..." | ||
| mkdir -p /tmp/gh-aw | ||
| curl -fsSL "https://github.com/ollama/ollama/releases/download/v${OLLAMA_VERSION}/install.sh" -o /tmp/gh-aw/ollama-install.sh | ||
| echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c - | ||
| sh /tmp/gh-aw/ollama-install.sh | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [/diagnosing-bugs] If Ollama ever re-publishes the same-version script with different content (unlikely but possible with installer scripts), this check won't catch it until the constant is manually updated. 💡 SuggestionConsider documenting in the env block where the SHA256 was sourced (e.g., from the Ollama release page checksum file). Also add a run: |
set -euo pipefail
echo "Downloading Ollama v${OLLAMA_VERSION} install script..."
mkdir -p /tmp/gh-aw
curl -fsSL "..."
echo "${OLLAMA_INSTALL_SHA256} /tmp/gh-aw/ollama-install.sh" | sha256sum -c -
sh /tmp/gh-aw/ollama-install.shThe current script lacks @copilot please address this.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ollama install script run with 💡 DetailsOn Ubuntu runners, The fix already applied to bash /tmp/gh-aw/ollama-install.sh |
||
| - name: Generate Ollama API key | ||
| run: | | ||
| OLLAMA_API_KEY="$(openssl rand -hex 16)" | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,9 +38,13 @@ jobs: | |
| id: install-trufflehog | ||
| env: | ||
| TRUFFLEHOG_VERSION: "3.88.27" | ||
| TRUFFLEHOG_SHA256: "e3b2647b7a7bc1591f316da91fd33fc7397f8e3c21e2feed791c171f0c406bc7" | ||
| run: | | ||
| echo "Installing TruffleHog v${TRUFFLEHOG_VERSION}..." | ||
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" | ||
| echo "Downloading TruffleHog v${TRUFFLEHOG_VERSION}..." | ||
| mkdir -p /tmp/gh-aw | ||
| curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" -o /tmp/gh-aw/trufflehog.tar.gz | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hardcoded 💡 Details and fixThe download URL: ...hardcodes Additionally, if the SHA256 is ever inadvertently changed to match the wrong-arch binary, the extracted Detect architecture at runtime: ARCH=$(dpkg --print-architecture 2>/dev/null || uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
curl -fsSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_${ARCH}.tar.gz" \
-o /tmp/gh-aw/trufflehog.tar.gzThis requires maintaining per-arch hashes (e.g., in an env map or a separate verification step that fetches the upstream file from the pinned release). |
||
| echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c - | ||
| sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz -C /usr/local/bin trufflehog | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [/diagnosing-bugs] This is architecturally sound (hash the archive, extract the binary), but the pattern diverges from the Ollama fix where the script itself is hashed. A brief comment would help future maintainers understand why this is intentional. 💡 SuggestionAdd an inline comment: # SHA256 covers the .tar.gz archive; the binary is extracted from the verified archive
echo "${TRUFFLEHOG_SHA256} /tmp/gh-aw/trufflehog.tar.gz" | sha256sum -c -
sudo tar -xzf /tmp/gh-aw/trufflehog.tar.gz -C /usr/local/bin trufflehogAlso note that @copilot please address this. |
||
| trufflehog --version | ||
|
|
||
| - name: Scan agent output for secrets | ||
|
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -82,8 +82,15 @@ jobs: | |
| `, actionRepo, actionRef, version) | ||
| } | ||
|
|
||
| // Default (dev/script mode): use curl to download install script | ||
| return `name: "Copilot Setup Steps" | ||
| // Default (dev/script mode): try to resolve the main branch to a pinned SHA so the | ||
| // downloaded script is immutable; fall back to the mutable branch ref if unavailable. | ||
| installRef := "refs/heads/main" | ||
| if sha, err := workflow.ResolveGhAwRef(ctx, "main"); err == nil && sha != "" { | ||
| installRef = sha | ||
| } else { | ||
| copilotSetupLog.Printf("Could not resolve github/gh-aw main SHA for dev-mode template, falling back to mutable ref: %v", err) | ||
| } | ||
| return fmt.Sprintf(`name: "Copilot Setup Steps" | ||
|
|
||
| # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server | ||
| on: | ||
|
|
@@ -105,10 +112,15 @@ jobs: | |
| steps: | ||
| - name: Install gh-aw extension | ||
| run: | | ||
| curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash | ||
| ` | ||
| mkdir -p /tmp/gh-aw | ||
| curl -fsSL https://raw.githubusercontent.com/github/gh-aw/%s/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh | ||
| bash /tmp/gh-aw/install-gh-aw.sh | ||
|
Comment on lines
112
to
+117
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same issue as in Since this Go code generates the workflow snippet that users copy-paste or auto-apply, users who run @copilot please address this.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [/codebase-design] The Go template generates a Users who run 💡 SuggestionIf SHA256 verification is to be added to const installGhAwScript = `
mkdir -p /tmp/gh-aw
curl -fsSL "(redacted)" -o /tmp/gh-aw/install-gh-aw.sh
echo "${GH_AW_INSTALL_SHA256} /tmp/gh-aw/install-gh-aw.sh" | sha256sum -c -
bash /tmp/gh-aw/install-gh-aw.sh
`@copilot please address this.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Both generated workflow templates embed the same incomplete fix — mutable URL, no SHA256 — propagating the vulnerability to every downstream user repo. 💡 Impact and fixThe template at lines 108-110 (function return value) and the constant at lines 136-138 ( run: |
mkdir -p /tmp/gh-aw
curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh
bash /tmp/gh-aw/install-gh-aw.shThis is written into users' Both the template function and the constant must be updated atomically. The template should either:
The current two-code-path design ( |
||
| `, installRef) | ||
| } | ||
|
|
||
| // copilotSetupStepsYAML is a static dev-mode template used only for YAML validity tests. | ||
| // It deliberately uses the mutable branch ref as a fallback; the runtime function | ||
| // generateCopilotSetupStepsYAML resolves the ref to an immutable commit SHA whenever possible. | ||
| const copilotSetupStepsYAML = `name: "Copilot Setup Steps" | ||
|
|
||
| # This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server | ||
|
|
@@ -131,7 +143,9 @@ jobs: | |
| steps: | ||
| - name: Install gh-aw extension | ||
| run: | | ||
| curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash | ||
| mkdir -p /tmp/gh-aw | ||
| curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh | ||
| bash /tmp/gh-aw/install-gh-aw.sh | ||
|
Comment on lines
143
to
+148
|
||
| ` | ||
|
|
||
| // CopilotWorkflowStep represents a GitHub Actions workflow step for Copilot setup scaffolding | ||
|
|
@@ -278,9 +292,17 @@ func renderCopilotSetupUpdateInstructions(ctx context.Context, filePath string, | |
| fmt.Fprintln(os.Stderr, " with:") | ||
| fmt.Fprintln(os.Stderr, " version: "+version) | ||
| } else { | ||
| // Dev/script mode: try to resolve main to a pinned SHA so the instructions emit an | ||
| // immutable URL; fall back to the mutable branch ref if resolution is unavailable. | ||
| installRef := "refs/heads/main" | ||
| if sha, err := workflow.ResolveGhAwRef(ctx, "main"); err == nil && sha != "" { | ||
| installRef = sha | ||
| } | ||
| fmt.Fprintln(os.Stderr, " - name: Install gh-aw extension") | ||
| fmt.Fprintln(os.Stderr, " run: |") | ||
| fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash") | ||
| fmt.Fprintln(os.Stderr, " mkdir -p /tmp/gh-aw") | ||
| fmt.Fprintln(os.Stderr, " curl -fsSL https://raw.githubusercontent.com/github/gh-aw/"+installRef+"/install-gh-aw.sh -o /tmp/gh-aw/install-gh-aw.sh") | ||
| fmt.Fprintln(os.Stderr, " bash /tmp/gh-aw/install-gh-aw.sh") | ||
|
Comment on lines
301
to
+305
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [/codebase-design] The install script snippet is inlined as three separate 💡 SuggestionExtract the install snippet to a single @copilot please address this. |
||
| } | ||
| fmt.Fprintln(os.Stderr) | ||
| } | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SHA256 hash and version are not atomically coupled — a version bump without a hash update will silently break secret scanning or Ollama installation.
💡 Details
OLLAMA_INSTALL_SHA256is coupled toOLLAMA_VERSION: "0.31.1". WhenOLLAMA_VERSIONis bumped (manually or via Dependabot), the hash will be wrong. Thesha256sum -ccommand will fail with a non-zero exit code, causing the entire install step to fail — and since this workflow is the only mechanism for Ollama availability, all downstream steps will also fail.The same concern applies to
TRUFFLEHOG_SHA256/TRUFFLEHOG_VERSIONinshared/trufflehog.md.There is no comment, script, Makefile target, or CI check enforcing the coupling. Add a comment documenting the procedure:
Consider adding a CI check that validates the stored hash against the pinned version, or a
make update-hashestarget.