Merge pull request #88 from Automattic/add/codeql

ci: add CodeQL Scan workflow

Author: sjinks

.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - trunk
+  pull_request:
+    branches:
+      - trunk
+  schedule:
+    - cron: '24 5 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript-typescript
+          - actions
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{matrix.language}}'

.github/workflows/lint.yml

@@ -14,9 +14,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout

.github/workflows/npm-prepare-release.yml

@@ -14,16 +14,22 @@ on:
           - minor
           - major
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare a new npm release
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out the source code
         uses: actions/checkout@v4
 
       - name: Run npm-prepare-release
-        uses: Automattic/vip-actions/npm-prepare-release@v0.1.2
+        uses: Automattic/vip-actions/npm-prepare-release@1137b91acf0f5ea4e0db044bcf14ceabed9b068f # trunk
         with:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           npm-version-type: ${{ inputs.npm-version-type }}

.github/workflows/npm-publish.yml

@@ -4,13 +4,21 @@ on:
   pull_request:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Publish to npm
     runs-on: ubuntu-latest
     if: contains( github.event.pull_request.labels.*.name, '[ Type ] NPM version update' ) && startsWith( github.head_ref, 'release/') && github.event.pull_request.merged == true
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
     steps:
-      - uses: Automattic/vip-actions/npm-publish@v0.1.2
+      - uses: Automattic/vip-actions/npm-publish@1137b91acf0f5ea4e0db044bcf14ceabed9b068f # trunk
         with:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          PROVENANCE: 'true'

.github/workflows/stale.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     name: Stale
@@ -12,4 +15,4 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: Automattic/vip-actions/stale@trunk
+      - uses: Automattic/vip-actions/stale@1137b91acf0f5ea4e0db044bcf14ceabed9b068f # trunk

.github/workflows/test.yml

@@ -14,9 +14,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       matrix:

src/cli.ts

@@ -430,7 +430,7 @@ harmonia.on( 'issue', ( issue: Issue ) => {
 	const documentation = issue.documentation ? `(${ issue.documentation })` : '';
 
 	// Replace \n with \n\t\t to keep new lines aligned
-	const message = issue.message.replace( '\n', '\n\t\t' );
+	const message = issue.message.replace( /\n/g, '\n\t\t' );
 	logToConsole( `    ${ issueTypeString } \t${ message } ${ documentation }` );
 
 	// If it's a Blocker or Error, and the issue includes a stdout, print it out.

src/tests/docker/build.test.ts

@@ -1,7 +1,7 @@
 import path from 'path';
 import Test from '../../lib/tests/test';
 import chalk from 'chalk';
-import { executeShell, executeShellSync } from '../../utils/shell';
+import { escapeShellArg, executeShell, executeShellSync } from '../../utils/shell';
 import Harmonia from '../../harmonia';
 
 export default class DockerBuild extends Test {
@@ -70,7 +70,7 @@ export default class DockerBuild extends Test {
 	 */
 	private async buildApp(): Promise<string> {
 		const script = path.resolve( __dirname, '../../..', 'scripts/build-app/build.sh' );
-		const subprocess = executeShell( `bash ${ script }`, {
+		const subprocess = executeShell( `bash ${ escapeShellArg( script ) }`, {
 			...this.envVariables,
 			NODE_VERSION: this.nodeVersion,
 		} );
@@ -97,7 +97,7 @@ export default class DockerBuild extends Test {
 		this.notice( `Using a data-only image ${ chalk.yellow( dataImage ) } ` );
 
 		const script = path.resolve( __dirname, '../../..', 'scripts/data-only/build.sh' );
-		const subprocess = executeShell( `bash ${ script }`, {
+		const subprocess = executeShell( `bash ${ escapeShellArg( script ) }`, {
 			NODE_VERSION: this.nodeVersion,
 			DATAONLY_IMAGE: dataImage,
 		} );
@@ -123,7 +123,7 @@ export default class DockerBuild extends Test {
 	 */
 	private getDockerImage( dockerImage: string ): string | boolean {
 		try {
-			const subprocess = executeShellSync( `docker images --filter reference=${ dockerImage } --format {{.Repository}}:{{.Tag}}` );
+			const subprocess = executeShellSync( `docker images --filter reference=${ escapeShellArg( dockerImage ) } --format {{.Repository}}:{{.Tag}}` );
 
 			if ( subprocess.stdout === '' || subprocess.exitCode !== 0 ) {
 				return false;

src/tests/docker/healthcheck.test.ts

@@ -1,7 +1,7 @@
 import chalk from 'chalk';
 
 import Test from '../../lib/tests/test';
-import { executeShell } from '../../utils/shell';
+import { escapeShellArg, executeShell } from '../../utils/shell';
 import fetchWithTiming, { HarmoniaFetchError } from '../../utils/http';
 
 const CACHE_HEALTHCHECK_ROUTE = '/cache-healthcheck?';
@@ -57,7 +57,7 @@ export default class HealthcheckTest extends Test {
 
 		let logs;
 		try {
-			const subprocess = await executeShell( `docker logs ${ this.containerName } --since ${ this.startDate }` );
+			const subprocess = await executeShell( `docker logs ${ escapeShellArg( this.containerName ) } --since ${ escapeShellArg( this.startDate ) }` );
 			logs = subprocess.all;
 		} catch ( err ) {
 			this.log( 'Error getting docker logs: ' + ( err as Error ).message );

src/tests/docker/run.test.ts

@@ -1,6 +1,6 @@
 import Test from '../../lib/tests/test';
 import chalk from 'chalk';
-import { executeShell } from '../../utils/shell';
+import { escapeShellArg, executeShell } from '../../utils/shell';
 import { createHash } from 'crypto';
 import { wait } from '../../utils/wait';
 import Harmonia from '../../harmonia';
@@ -51,7 +51,7 @@ export default class DockerRun extends Test {
 
 			// Build the `--env` string of options for Docker with the environment variable keys
 			const environmentVarDockerOption = Object.keys( environmentVars ).reduce( ( string, envVarName ) => {
-				return `${ string } -e ${ envVarName }`;
+				return `${ string } -e ${ escapeShellArg( envVarName ) }`;
 			}, '' );
 
 			let dockerNetwork = `-p ${ this.port }:${ this.port }`;
@@ -60,8 +60,8 @@ export default class DockerRun extends Test {
 				dockerNetwork = '--network host';
 			}
 
-			const dockerCommand = `docker run -t ${ dockerNetwork } --name ${ this.containerName } ${ environmentVarDockerOption } ${ this.imageTag }`;
-			const subprocess = executeShell( dockerCommand,	environmentVars );
+			const dockerCommand = `docker run -t ${ dockerNetwork } --name ${ escapeShellArg( this.containerName ) } ${ environmentVarDockerOption } ${ escapeShellArg( this.imageTag ) }`;
+			const subprocess = executeShell( dockerCommand, environmentVars );
 
 			if ( Harmonia.isVerbose() ) {
 				subprocess.stdout?.pipe( process.stdout );

src/tests/health/base.test.ts

@@ -1,7 +1,7 @@
 import chalk from 'chalk';
 
 import Test from '../../lib/tests/test';
-import { executeShell } from '../../utils/shell';
+import { escapeShellArg, executeShell } from '../../utils/shell';
 import fetchWithTiming, { HarmoniaFetchError, TimedResponse } from '../../utils/http';
 import Issue from '../../lib/issue';
 import { isWebUri } from '../../utils/url';
@@ -49,8 +49,8 @@ export default abstract class BaseHealthTest extends Test {
 		} catch ( error ) {
 			if ( error instanceof HarmoniaFetchError ) {
 				// Get logs
-				const subprocess = await executeShell( `docker logs ${ this.containerName } --since ${ error.getStartDate().toISOString() } ` +
-					`--until ${ error.getEndDate().toISOString() }` );
+				const subprocess = await executeShell( `docker logs ${ escapeShellArg( this.containerName ) } --since ${ escapeShellArg( error.getStartDate().toISOString() ) } ` +
+					`--until ${ escapeShellArg( error.getEndDate().toISOString() ) }` );
 				const logs = subprocess.all;
 
 				this.error( `Error fetching ${ error.getURL() }: ${ error.message }`, undefined, { all: logs } );
@@ -93,7 +93,7 @@ export default abstract class BaseHealthTest extends Test {
 		// Check for logs
 		let logs;
 		try {
-			const subprocess = await executeShell( `docker logs ${ this.containerName } --since ${ request.startDate.toISOString() }` );
+			const subprocess = await executeShell( `docker logs ${ escapeShellArg( this.containerName ) } --since ${ escapeShellArg( request.startDate.toISOString() ) }` );
 			logs = subprocess.all;
 		} catch ( err ) {
 			this.log( 'Error getting docker logs: ' + ( err as Error ).message );

src/utils/shell.ts

@@ -1,17 +1,38 @@
-import execa, { ExecaChildProcess } from 'execa';
+import { platform } from 'node:os';
+import execa, { type ExecaChildProcess } from 'execa';
 
 const subprocesses: ExecaChildProcess[] = [];
 let cwd = process.cwd();
 
-export function executeShell( command, envVars = {} ) {
+export function escapeShellArg( arg: string ): string {
+	if ( ! arg ) {
+		return '""';
+	}
+
+	if ( platform() === 'win32' ) {
+		// For Windows cmd.exe, we need to handle several special characters
+		// First handle backslashes and double quotes
+		let escaped = arg.replace( /(\\*)"/g, '$1$1\\"' ).replace( /(\\*)$/, '$1$1' );
+
+		// Then handle special shell characters: ^ ! % ~ & < > | ' `
+		escaped = escaped.replace( /([&^|<>()!"%~])/g, '^$1' );
+
+		return `"${ escaped }"`;
+	}
+
+	// Unix/Linux/macOS: single quotes around the string and escape single quotes within
+	return `'${ arg.replace( /'/g, "'\\''" ) }'`;
+}
+
+export function executeShell( command: string, envVars = {} ) {
 	const envVariables = {
 		VIP_GO_APP_ID: 'unknown',
 	};
 
 	const promise = execa.command( command, {
 		all: true,
 		cwd,
-		env: Object.assign( {}, envVariables, envVars ),
+		env: { ...envVariables, ...envVars },
 	} );
 
 	subprocesses.push( promise );
@@ -32,15 +53,15 @@ export function executeShell( command, envVars = {} ) {
 	return promise;
 }
 
-export function executeShellSync( command, envVars = {} ) {
+export function executeShellSync( command: string, envVars = {} ) {
 	const envVariables = {
 		VIP_GO_APP_ID: 'unknown',
 	};
 
 	return execa.commandSync( command, {
 		all: true,
 		cwd,
-		env: Object.assign( {}, envVariables, envVars ),
+		env: { ...envVariables, ...envVars },
 	} );
 }