VincyZhang · VincyZhang · Nov 21, 2024 · Nov 21, 2024 · Nov 22, 2024 · Nov 22, 2024
diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml
@@ -69,6 +69,12 @@ jobs:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
 
+      - name: Check Dangerous Command Injection
+        run: |
+            export WORKSPACE=${{ github.workspace }}
+            cd ${{ github.workspace }}
+            bash -x .github/workflows/scripts/check_cmd_injection.sh
+
       - name: Clone Required Repo
         run: |
           cd ${{ github.workspace }}/${{ inputs.example }}/docker_image_build

diff --git a/.github/workflows/for_test.sh b/.github/workflows/for_test.sh
@@ -0,0 +1,6 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+echo "this is for test only"
+docker images
+docker stop
diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml
@@ -22,6 +22,7 @@ env:
   REPO_TAG: "1.0"
   DOCKER_FILE_NAME: "code-scan"
   CONTAINER_NAME: "code-scan"
+  WORKSPACE: ${{ github.workspace }}
 
 jobs:
   code-scan:
@@ -34,6 +35,10 @@ jobs:
       - name: Checkout out Repo
         uses: actions/checkout@v4
 
+      - name: Check Dangerous Command Injection
+        if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
+        run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh
+
       - name: Docker Build
         run: |
           docker build -f ${{ github.workspace }}/.github/workflows/docker/${{ env.DOCKER_FILE_NAME }}.dockerfile -t ${{ env.REPO_NAME }}:${{ env.REPO_TAG }} .

diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+cd ${WORKSPACE}
+[[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file
+source .github/workflows/scripts/change_color
+# docker control/rm/scp/rsync/git cmd
+check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f")
+
+# exclude path
+exclude_check_path=".github/workflows/scripts"
+
+# get change file lists (exclude delete files)
+git fetch origin main
+change_files=$(git diff FETCH_HEAD --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}')
+
+status="success"
+for file in ${change_files};
+do
+    echo "file name is ${file}"
+    # check file type: shell yaml python
+    if [[ ! $(echo ${file} | grep -E ".*\.sh") ]] && [[ ! $(echo ${file} | grep -E "*.ya?ml") ]] && [[ ! $(echo ${file} | grep -E ".*\.py") ]];
+    then
+        echo "This file ${file} no need to check, exit"
+        exit 0
+    fi
+    # get added command
+    git diff FETCH_HEAD ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file
+    #cat diff_file | while read line; do
+    #    echo $line;
+    #    for (( i=0; i<${#check_list[@]}; i++)); do
+    #        if [[ $line == *"${check_list[$i]}"* ]]; then
+    #            echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check"
+    #            status="failed"
+    #        fi;
+    #    done;
+    #done
+    for (( i=0; i<${#check_list[@]}; i++)); do
+        if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then
+            $BOLD_RED && echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check"
+            status="failed"
+        fi;
+    done;
+done
+[[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file
+[[ $status == "failed" ]] && exit 1 || exit 0