security changes

mongoKart · mongoKart · commit b84067252968 · 2024-10-17T12:59:04.000-05:00
diff --git a/.github/workflows/add-netlify-links.yml b/.github/workflows/add-netlify-links.yml
@@ -1,55 +1,75 @@
 name: Add Netlify Links To Changed Pages
 on:
-    workflow_call:
+  workflow_call:
+  pull_request_target:
 jobs:
-    get-pr-changes:
-        name: Get Changed Files & Update PR Description
-        runs-on: ubuntu-latest
-        permissions:
-            issues: write
-            contents: write
-            pull-requests: write
-            repository-projects: write
-        steps:
-          - uses: actions/checkout@v4
-          - name: Get Changed Files
-            id: changed-files
-            uses: tj-actions/changed-files@v44
-            with:
-              separator: ","
-              files: source/**
-          - name: Build Netlify Links for Changed Pages
-            id: build_page_links
-            run: |
-              new_links=""
-              base_link='https://deploy-preview-${{ github.event.number }}--mongodb-docs-csharp.netlify.app'
-              changed_files=${{ steps.changed-files.outputs.all_changed_files }}
-              files=$(echo $changed_files | tr "," "\n")
-              for file in $files; do
-                echo "processing ${file}"
-                if (! grep -s "includes/"  <<< $file) && 
-                    (! grep -s "images/"  <<< $file) && 
-                    (! grep -s "examples/"  <<< $file); then
-                  file="${file#source}"
-                  file="${file%.txt}"
-                  filenoslash="${file:1}"
-                  echo "${base_link}${file}"
-                  new_links+="<li><a href=${base_link}${file}>${filenoslash}</a></li>"
-                else
-                  echo "(file skipped)"
-                fi
-              done
-              if [ "$new_links" == "" ]; then
-                new_links="No pages to preview"
-              fi
-              echo "Final new_links string: "
-              echo "${new_links}"
-              echo "staging_links=${new_links}" >> "$GITHUB_OUTPUT"
-          - name: Update the PR Description
-            uses: MongoCaleb/pr-description-action@master
-            with:
-                regex: "<!-- start insert-links -->.*<!-- end insert-links -->"
-                appendContentOnMatchOnly: true
-                regexFlags: is
-                content: "<!-- start insert-links -->\n${{ steps.build_page_links.outputs.staging_links }}\n<!-- end insert-links -->"
-                token: ${{ secrets.GITHUB_TOKEN }}
+  get-pr-changes:
+    name: Get Changed Files & Update PR Description
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: write
+      pull-requests: write
+      repository-projects: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get Changed Files
+        id: changed-files
+        # pin to a specific commit to ensure stability
+        uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c
+        with:
+          separator: ","
+          files: source/**
+      - name: Build Netlify Links for Changed Pages
+        id: build_page_links
+        env:
+          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        run: |
+          # Function to validate file paths
+          validate_file_path() {
+            local file_path="$1"
+            # Allow only alphanumeric characters, _ . / and -
+            if [[ ! "$file_path" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
+              echo "Invalid file path detected: $file_path" >&2
+              return 1
+            fi
+          }
+
+          new_links=""
+          base_link='https://deploy-preview-${{ github.event.number }}--mongodb-docs-csharp.netlify.app'
+          files=$(echo "$CHANGED_FILES" | tr "," "\n")
+          for file in $files; do
+            echo "processing ${file}"
+            
+            # Validate file path and skip if invalid 
+            validate_file_path "$file"
+            if [ $? -ne 0 ]; then
+              continue
+            fi
+            
+            if (! grep -s "includes/"  <<< "$file") && 
+                (! grep -s "images/"  <<< "$file") && 
+                (! grep -s "examples/"  <<< "$file"); then
+              file="${file#source}"
+              file="${file%.txt}"
+              filenoslash="${file:1}"
+              echo "${base_link}${file}"
+              new_links+="<li><a href=${base_link}${file}>${filenoslash}</a></li>"
+            else
+              echo "(file skipped)"
+            fi
+          done
+          if [ "$new_links" == "" ]; then
+            new_links="No pages to preview"
+          fi
+          echo "Final new_links string: "
+          echo "${new_links}"
+          echo "staging_links=${new_links}" >> "$GITHUB_OUTPUT"
+      - name: Update the PR Description
+        uses: MongoCaleb/pr-description-action@master
+        with:
+          regex: "<!-- start insert-links -->.*<!-- end insert-links -->"
+          appendContentOnMatchOnly: true
+          regexFlags: is
+          content: "<!-- start insert-links -->\n${{ steps.build_page_links.outputs.staging_links }}\n<!-- end insert-links -->"
+          token: ${{ secrets.GITHUB_TOKEN }}
