Skip to content
This repository was archived by the owner on Jun 27, 2025. It is now read-only.

Migrate to jfrog#26

Open
benjaminshim wants to merge 10 commits intomasterfrom
migrate-to-jfrog
Open

Migrate to jfrog#26
benjaminshim wants to merge 10 commits intomasterfrom
migrate-to-jfrog

Conversation

@benjaminshim
Copy link

@benjaminshim benjaminshim commented Jun 5, 2025

No description provided.

semgrep-managed-scan[bot]
semgrep-managed-scan bot reviewed Jun 9, 2025
View reviewed changes
.github/workflows/build-push.yaml
Comment on lines +72 to +91
run: |
echo "${{ inputs.version-path }}"
if [ -r "${{ inputs.version-path }}" ]; then
echo "${{ inputs.version-path }}"
# Extract version from setup.py or similar file
VERSION=$(cat "${{ inputs.version-path }}" | grep -i 'version[ ]*=[ ]*["\'\''][0-9]\+\.[0-9]\+\.[0-9]\+' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
echo "$VERSION"
if [ -z "$VERSION" ]; then
# Try getting it with setuptools if direct grep fails
python -c "import setuptools; exec(open('${{ inputs.version-path }}').read()); print(__version__ if 'version' not in locals() else version)" > version.txt 2>/dev/null || true
if [ -s version.txt ]; then
VERSION=$(cat version.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
fi
fi
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
else
echo "Version file not found at ${{ inputs.version-path }}"
echo "VERSION=unknown" >> $GITHUB_OUTPUT
fi

Copy link

@semgrep-managed-scan semgrep-managed-scan bot Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

🧁 Fixed in commit 6d459d2 🧁

semgrep-managed-scan[bot]
semgrep-managed-scan bot reviewed Jun 9, 2025
View reviewed changes
.github/workflows/build-push.yaml
Comment on lines +72 to +91
run: |
echo "${{ inputs.version-path }}"
if [ -r "${{ inputs.version-path }}" ]; then
echo "${{ inputs.version-path }}"
# Extract version from setup.py or similar file
VERSION=$(cat "${{ inputs.version-path }}" | grep -i 'version[ _]*=[ ]*["\'\''][0-9]\+\.[0-9]\+\.[0-9]\+' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
echo "$VERSION"
if [ -z "$VERSION" ]; then
# Try getting it with setuptools if direct grep fails
python -c "import setuptools; exec(open('${{ inputs.version-path }}').read()); print(__version__ if 'version' not in locals() else version)" > version.txt 2>/dev/null || true
if [ -s version.txt ]; then
VERSION=$(cat version.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
fi
fi
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
else
echo "Version file not found at ${{ inputs.version-path }}"
echo "VERSION=unknown" >> $GITHUB_OUTPUT
fi

Copy link

@semgrep-managed-scan semgrep-managed-scan bot Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
run: |
echo "${{ inputs.version-path }}"
if [ -r "${{ inputs.version-path }}" ]; then
echo "${{ inputs.version-path }}"
# Extract version from setup.py or similar file
VERSION=$(cat "${{ inputs.version-path }}" | grep -i 'version[ _]*=[ ]*["\'\''][0-9]\+\.[0-9]\+\.[0-9]\+' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
echo "$VERSION"
if [ -z "$VERSION" ]; then
# Try getting it with setuptools if direct grep fails
python -c "import setuptools; exec(open('${{ inputs.version-path }}').read()); print(__version__ if 'version' not in locals() else version)" > version.txt 2>/dev/null || true
if [ -s version.txt ]; then
VERSION=$(cat version.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
fi
fi
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
else
echo "Version file not found at ${{ inputs.version-path }}"
echo "VERSION=unknown" >> $GITHUB_OUTPUT
fi
env:
VERSION_PATH: ${{ inputs.version-path }}
run: |
echo "$VERSION_PATH"
if [ -r "$VERSION_PATH" ]; then
echo "$VERSION_PATH"
# Extract version from setup.py or similar file
VERSION=$(cat "$VERSION_PATH" | grep -i 'version[ _]*=[ ]*["\'\''][0-9]\+\.[0-9]\+\.[0-9]\+' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
echo "$VERSION"
if [ -z "$VERSION" ]; then
# Try getting it with setuptools if direct grep fails
python -c "import setuptools; exec(open('$VERSION_PATH').read()); print(__version__ if 'version' not in locals() else version)" > version.txt 2>/dev/null || true
if [ -s version.txt ]; then
VERSION=$(cat version.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
fi
fi
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
else
echo "Version file not found at $VERSION_PATH"
echo "VERSION=unknown" >> $GITHUB_OUTPUT
fi
View step-by-step instructions

  1. Add environment variables to the step to store untrusted input values:

    - name: Extract Version
  id: extract_version
  env:
    VERSION_PATH: ${{ inputs.version-path }}
  run: |
    echo "$VERSION_PATH"
    if [ -r "$VERSION_PATH" ]; then
      echo "$VERSION_PATH"
      # Extract version from setup.py or similar file
      VERSION=$(cat "$VERSION_PATH" | grep -i 'version[ _]*=[ ]*["\'\''][0-9]\+\.[0-9]\+\.[0-9]\+' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
      echo "$VERSION"
      if [ -z "$VERSION" ]; then
        # Try getting it with setuptools if direct grep fails
        python -c "import setuptools; exec(open('$VERSION_PATH').read()); print(__version__ if 'version' not in locals() else version)" > version.txt 2>/dev/null || true
        if [ -s version.txt ]; then
          VERSION=$(cat version.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
        fi
      fi
      echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
    else
      echo "Version file not found at $VERSION_PATH"
      echo "VERSION=unknown" >> $GITHUB_OUTPUT
    fi

  2. Also update the Build and publish step to use environment variables:

    - name: Build and publish
  env:
    TWINE_USERNAME: ${{ secrets.UV_INDEX_JFROG_USERNAME }}
    TWINE_PASSWORD: ${{ secrets.UV_INDEX_JFROG_PASSWORD }}
    REPOSITORY_URL: ${{ inputs.repository-url }}
  run: |
    python3 setup.py sdist bdist_wheel
    twine upload --non-interactive -u $TWINE_USERNAME -p $TWINE_PASSWORD --repository-url "$REPOSITORY_URL" dist/*

Using environment variables prevents direct interpolation of potentially dangerous input values in shell commands, reducing the risk of command injection attacks.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@semgrep-managed-scan semgrep-managed-scan[bot] semgrep-managed-scan[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benjaminshim