Skip to content

Use double for all ok fields#52

Draft
AlekSi wants to merge 5 commits intoferretdbfrom
double-ok
Draft

Use double for all ok fields#52
AlekSi wants to merge 5 commits intoferretdbfrom
double-ok

Conversation

@AlekSi
Copy link
Member

@AlekSi AlekSi commented Apr 18, 2025

No description provided.

@AlekSi AlekSi added packages PRs that should build packages trust PRs that can access Actions secrets labels Apr 18, 2025
@mergify mergify bot assigned AlekSi Apr 18, 2025
@AlekSi
Merge remote-tracking branch 'upstream/main' into double-ok
bcfdeb0 
# Conflicts:
#	packaging/build_packages.sh
#	packaging/debian_files/changelog
#	pg_documentdb/src/commands/users.c
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 2, 2025
View reviewed changes
.github/workflows/ferretdb_go_tests.yml
Comment on lines +28 to +59
name: Test
runs-on: ubuntu-24.04
timeout-minutes: 15

# Do not run this job in parallel for any PR change or branch push.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true

if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'not ready')

steps:
# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Go
uses: FerretDB/github-actions/setup-go@main

- name: Run tests
run: |
cd ferretdb_packaging
go mod tidy
go mod verify
go test ./...

- name: Check dirty
if: always()
run: |
git status --untracked-files --ignored
git status
git diff --exit-code

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 months ago

To fix the issue, we need to add a permissions block to the workflow or job to explicitly limit the permissions of the GITHUB_TOKEN. Since the workflow only requires read access to repository contents, we can set contents: read at the job level. This ensures the workflow has the minimal permissions necessary to complete its tasks.

The changes will be made in the .github/workflows/ferretdb_go_tests.yml file:

  1. Add a permissions block under the test job.
  2. Set contents: read as the permission.
Suggested changeset 1
.github/workflows/ferretdb_go_tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_go_tests.yml b/.github/workflows/ferretdb_go_tests.yml
--- a/.github/workflows/ferretdb_go_tests.yml
+++ b/.github/workflows/ferretdb_go_tests.yml
@@ -30,2 +30,4 @@
     timeout-minutes: 15
+    permissions:
+      contents: read
 
EOF
@@ -30,2 +30,4 @@
timeout-minutes: 15
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +120 to +124
with:
name: ${{ matrix.os }}-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging/*.deb
retention-days: 1
if-no-files-found: error

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
pull_request_target
Loading
).

Copilot Autofix

AI 8 months ago

To fix the issue, the workflow should avoid executing untrusted code in the context of the default branch. This can be achieved by replacing the pull_request_target event with the pull_request event, which scopes the workflow to the pull request branch instead of the default branch. Additionally, any steps that rely on untrusted code should be isolated or validated to ensure they do not introduce security vulnerabilities. Specifically:

  1. Replace pull_request_target with pull_request in the on section.
  2. Remove or adjust steps that directly use untrusted code (e.g., checkout pull request code).
  3. Validate any inputs derived from untrusted sources before using them in critical operations.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -25,3 +25,3 @@
 on:
-  pull_request_target:
+  pull_request:
     types:
@@ -85,3 +85,3 @@
       - name: Checkout pull request code
-        if: github.event_name == 'pull_request_target'
+        if: github.event_name == 'pull_request'
         uses: actions/checkout@v4
EOF
@@ -25,3 +25,3 @@
on:
pull_request_target:
pull_request:
types:
@@ -85,3 +85,3 @@
- name: Checkout pull request code
if: github.event_name == 'pull_request_target'
if: github.event_name == 'pull_request'
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +200 to +203
- name: Initialize Docker builder
run: make -C ferretdb_packaging docker-init

- name: Build local development Docker image

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
.github/workflows/ferretdb_packages.yml
path: packaging

- name: Initialize Docker builder
run: make -C ferretdb_packaging docker-init

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-init
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix

AI 8 months ago

To fix the issue, the artifact should be extracted into a temporary directory instead of the packaging directory. This ensures that the artifact cannot override existing files. Additionally, the contents of the artifact should be verified before they are used. For example, if specific files are expected, their presence and integrity should be checked. This approach mitigates the risk of artifact poisoning.

Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -197,3 +197,12 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts
+
+      - name: Verify artifact contents
+        run: |
+          mkdir -p packaging
+          if [ ! -f "${{ runner.temp }}/artifacts/expected_file" ]; then
+            echo "Expected file not found in artifact" >&2
+            exit 1
+          fi
+          cp -r ${{ runner.temp }}/artifacts/* packaging/
 
EOF
@@ -197,3 +197,12 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts

- name: Verify artifact contents
run: |
mkdir -p packaging
if [ ! -f "${{ runner.temp }}/artifacts/expected_file" ]; then
echo "Expected file not found in artifact" >&2
exit 1
fi
cp -r ${{ runner.temp }}/artifacts/* packaging/

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +205 to +211
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=development
OUTPUT='type=docker'
TAGS='${{ steps.version.outputs.docker_development_tag_flags }}'

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=development OUTPUT='type=docker' TAGS='${ steps.version.outputs.docker_development_tag_flags }'
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix

AI 8 months ago

To fix the artifact poisoning issue, the workflow should treat the downloaded artifact as untrusted and verify its contents before using it. Specifically:

  1. Extract the artifact to a temporary directory to prevent it from overwriting existing files.
  2. Verify the contents of the artifact to ensure they match the expected format or values.
  3. Use the verified contents in subsequent steps.

The changes will involve modifying the artifact download step to specify a temporary directory and adding a verification step before using the artifact.

Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifact
+        run: mkdir -p ${{ runner.temp }}/artifacts/
+
       - name: Download deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
@@ -197,3 +200,3 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts/
 
@@ -205,2 +208,7 @@
         run: >
+          # Verify artifact contents
+          if [ ! -f ${{ runner.temp }}/artifacts/deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }} ]; then
+            echo "Artifact verification failed: File not found"
+            exit 1
+          fi
           make -C ferretdb_packaging docker-build
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifact
run: mkdir -p ${{ runner.temp }}/artifacts/

- name: Download deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
@@ -197,3 +200,3 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts/

@@ -205,2 +208,7 @@
run: >
# Verify artifact contents
if [ ! -f ${{ runner.temp }}/artifacts/deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }} ]; then
echo "Artifact verification failed: File not found"
exit 1
fi
make -C ferretdb_packaging docker-build
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +215 to +221
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=production
OUTPUT='type=docker'
TAGS='${{ steps.version.outputs.docker_production_tag_flags }}'

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=production OUTPUT='type=docker' TAGS='${ steps.version.outputs.docker_production_tag_flags }'
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix

AI 8 months ago

To fix the issue, the workflow should treat the artifact as untrusted and follow best practices for handling artifacts:

  1. Extract the artifact into a temporary directory to prevent overwriting existing files.
  2. Validate the contents of the artifact before using it in any commands.

Specifically:

  • Modify the actions/download-artifact step to extract the artifact into a temporary directory.
  • Add a validation step to ensure the artifact contents are as expected before proceeding with the make command.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifact
+        run: mkdir -p ${{ runner.temp }}/packaging
+
       - name: Download deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
@@ -197,3 +200,3 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/packaging
 
@@ -214,3 +217,10 @@
         if: steps.version.outputs.docker_production_tag_flags != ''
-        run: >
+        run: |
+          # Validate artifact contents
+          if [ ! -f ${{ runner.temp }}/packaging/expected_file ]; then
+            echo "Artifact validation failed: expected_file not found"
+            exit 1
+          fi
+
+          # Proceed with build
           make -C ferretdb_packaging docker-build
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifact
run: mkdir -p ${{ runner.temp }}/packaging

- name: Download deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
@@ -197,3 +200,3 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/packaging

@@ -214,3 +217,10 @@
if: steps.version.outputs.docker_production_tag_flags != ''
run: >
run: |
# Validate artifact contents
if [ ! -f ${{ runner.temp }}/packaging/expected_file ]; then
echo "Artifact validation failed: expected_file not found"
exit 1
fi

# Proceed with build
make -C ferretdb_packaging docker-build
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +220 to +230
OUTPUT='type=docker'
TAGS='${{ steps.version.outputs.docker_production_tag_flags }}'

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ferretdbbot
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
.github/workflows/ferretdb_packages.yml
Comment on lines +245 to +251
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=development
OUTPUT='type=image,push=true'
TAGS='${{ steps.version.outputs.docker_development_tag_flags }}'

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=development OUTPUT='type=image,push=true' TAGS='${ steps.version.outputs.docker_development_tag_flags }'
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix

AI 8 months ago

To fix the issue, the workflow should treat the artifact as untrusted and isolate its contents in a temporary directory. Additionally, the contents of the artifact should be verified before use. This involves:

  1. Creating a temporary directory for artifact extraction.
  2. Modifying the actions/download-artifact step to extract the artifact into the temporary directory.
  3. Adding a verification step to ensure the artifact's contents are as expected before proceeding with the Docker build.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifact
+        run: mkdir -p ${{ runner.temp }}/artifacts
+
       - name: Download deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
@@ -197,3 +200,3 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts
 
@@ -245,2 +248,8 @@
         run: >
+          # Verify artifact contents
+          if [ ! -f ${{ runner.temp }}/artifacts/deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }} ]; then
+            echo "Artifact verification failed: File not found"
+            exit 1
+          fi
+
           make -C ferretdb_packaging docker-build
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifact
run: mkdir -p ${{ runner.temp }}/artifacts

- name: Download deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
@@ -197,3 +200,3 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts

@@ -245,2 +248,8 @@
run: >
# Verify artifact contents
if [ ! -f ${{ runner.temp }}/artifacts/deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }} ]; then
echo "Artifact verification failed: File not found"
exit 1
fi

make -C ferretdb_packaging docker-build
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +255 to +261
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=production
OUTPUT='type=image,push=true'
TAGS='${{ steps.version.outputs.docker_production_tag_flags }}'

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=production OUTPUT='type=image,push=true' TAGS='${ steps.version.outputs.docker_production_tag_flags }'
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix

AI 8 months ago

To fix the artifact poisoning issue, the workflow should treat the downloaded artifact as untrusted and isolate its contents. Specifically:

  1. Extract the artifact to a temporary directory to prevent overwriting existing files.
  2. Verify the contents of the artifact before using them in subsequent steps.
  3. Ensure that any untrusted inputs (e.g., matrix.pg and steps.version.outputs.debian_version) are sanitized or validated.

The changes will involve modifying the artifact download step to specify a temporary directory and adding a verification step to check the artifact's contents before proceeding.

Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -197,3 +197,11 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/packaging
+
+      - name: Verify artifact contents
+        run: |
+          if [ ! -f "${{ runner.temp }}/packaging/expected_file" ]; then
+            echo "Artifact verification failed: expected file not found."
+            exit 1
+          fi
+          # Additional verification logic can be added here
 
@@ -261,2 +269,4 @@
           TAGS='${{ steps.version.outputs.docker_production_tag_flags }}'
+          ARTIFACT_DIR=${{ runner.temp }}/packaging
+          # Ensure the artifact directory is used securely
 
EOF
@@ -197,3 +197,11 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/packaging

- name: Verify artifact contents
run: |
if [ ! -f "${{ runner.temp }}/packaging/expected_file" ]; then
echo "Artifact verification failed: expected file not found."
exit 1
fi
# Additional verification logic can be added here

@@ -261,2 +269,4 @@
TAGS='${{ steps.version.outputs.docker_production_tag_flags }}'
ARTIFACT_DIR=${{ runner.temp }}/packaging
# Ensure the artifact directory is used securely

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/ferretdb_packages.yml
Comment on lines +256 to +266
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=production
OUTPUT='type=image,push=true'
TAGS='${{ steps.version.outputs.docker_production_tag_flags }}'

- name: Check dirty
run: |
git status
git diff --exit-code

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
@mergify
Copy link

mergify bot commented Jul 2, 2025

@AlekSi this pull request has merge conflicts.

@mergify mergify bot added the conflict PRs that have merge conflicts label Jul 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AlekSi AlekSi

Labels

conflict PRs that have merge conflicts packages PRs that should build packages trust PRs that can access Actions secrets

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlekSi

Comments