From ed39b0ff51f9f86482c82c82e6bd34dbe18463e3 Mon Sep 17 00:00:00 2001 From: Dave Buchanan Date: Wed, 25 Oct 2023 17:42:32 -0700 Subject: [PATCH 1/4] Adding a temporary fix to stop non-maintainers from RCE --- cicd/2-cicd/cicd.template.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index c0a8ac66..4be789c2 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -149,7 +149,10 @@ Resources: Type: BASE_REF - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT - + # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) + - - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ + Type: ACTOR_ACCOUNT_ID + # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. # It will perform any steps defined in the referenced buildspec.yml file. LoadTestBuildProject: From 598dc188b103733293ed05f17590147b74520140 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Wed, 25 Oct 2023 20:30:12 -0500 Subject: [PATCH 2/4] include actor pattern in main filtergroup --- cicd/2-cicd/cicd.template.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 4be789c2..1172334a 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -149,8 +149,8 @@ Resources: Type: BASE_REF - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT - # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) - - - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ + # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) + - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ Type: ACTOR_ACCOUNT_ID # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. From 974324bdc5f1eea8bfdd7bb628c5a05070f0cbd4 Mon Sep 17 00:00:00 2001 From: Dave Buchanan Date: Thu, 26 Oct 2023 08:47:40 -0700 Subject: [PATCH 3/4] Switching to ID-based --- cicd/2-cicd/cicd.template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 1172334a..735ee60b 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -150,7 +150,7 @@ Resources: - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) - - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ + - Pattern: ^(31292421|113540108|10283727|105933103|16494556|11708250|11284819|8747128|25372625|46464143|2205926|131809324|7014619|7144482|5107622|68714964|8001765|1372238|5184438|2933346|137330041|208083|26844240|12300669|4108328|107423305|1859238|244100|37230822|82185575|8324574|38662275|137838584|95503833|117784268|9256643|24883357|22244040|25193259|8573958|29001621|113938636|66776217|43474485|33666587|5454101|98911841|8847422|5552007|65205145|108825710|1382374|126921802|85528507|769225|223277|2157034|14046120|1466175|137829631|142271809|56283563|146779710|124813947|31674)$ Type: ACTOR_ACCOUNT_ID # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. From 39598946d26805a94cb84117dbaa327f331fd4a5 Mon Sep 17 00:00:00 2001 From: Dave Buchanan Date: Thu, 26 Oct 2023 10:24:37 -0700 Subject: [PATCH 4/4] Update cicd.template.yml --- cicd/2-cicd/cicd.template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 735ee60b..e0fb5b8c 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -149,7 +149,7 @@ Resources: Type: BASE_REF - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT - # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) + # Manual PAUSE button, to disable non-GitHub-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) - Pattern: ^(31292421|113540108|10283727|105933103|16494556|11708250|11284819|8747128|25372625|46464143|2205926|131809324|7014619|7144482|5107622|68714964|8001765|1372238|5184438|2933346|137330041|208083|26844240|12300669|4108328|107423305|1859238|244100|37230822|82185575|8324574|38662275|137838584|95503833|117784268|9256643|24883357|22244040|25193259|8573958|29001621|113938636|66776217|43474485|33666587|5454101|98911841|8847422|5552007|65205145|108825710|1382374|126921802|85528507|769225|223277|2157034|14046120|1466175|137829631|142271809|56283563|146779710|124813947|31674)$ Type: ACTOR_ACCOUNT_ID