0514edf355
Tool
CodeQL
Rule ID
js/incomplete-sanitization
Query
View source
Description
Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.
However, directly using the string replace method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.
In the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.
Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.
Recommendation
Use a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.
An even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.
Otherwise, make sure to use a regular expression with the g flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.
Example
For example, assume that we want to embed a user-controlled string accountNumber into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:
function escapeQuotes(s) {
return s.replace("'", "''");
}
As written, this sanitizer is ineffective: if the first argument to replace is a string literal (as in this case), only the first occurrence of that string is replaced.
As mentioned above, the function escapeQuotes should be replaced with a purpose-built sanitization library, such as the npm module sqlstring. Many other sanitization libraries are available from npm and other sources.
If this is not an option, escapeQuotes should be rewritten to use a regular expression with the g ("global") flag instead:
function escapeQuotes(s) {
return s.replace(/'/g, "''");
}
Note that it is very important to include the global flag: s.replace(/'/, "''") without the global flag is equivalent to the first example above and only replaces the first quote.
References
OWASP Top 10: A1 Injection.
npm: sqlstring package.
Common Weakness Enumeration: CWE-20.
Common Weakness Enumeration: CWE-80.
Common Weakness Enumeration: CWE-116.
Signed-off-by: Sarut Limpajeerawong| |github.tr4200812.github.com <179701381+tr4200812@users.noreply.github.com>
setup-dotnet
This action sets up a .NET CLI environment for use in actions by:
- optionally downloading and caching a version(s) of dotnet by SDK version(s) and adding to PATH
- registering problem matchers for error output
- setting up authentication to private package sources like GitHub Packages
Note
: GitHub hosted runners have some versions of the .NET SDK preinstalled. Installed versions are subject to change. Please refer to the documentation: Software installed on github hosted runners for .NET SDK versions that are currently available.
Usage
See action.yml
Basic:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '3.1.x'
- run: dotnet build <my project>
Warning
: Unless a concrete version is specified in the
global.jsonfile, the latest .NET version installed on the runner (including preinstalled versions) will be used by default. Please refer to the documentation for the currently preinstalled .NET SDK versions.
Multiple version installation:
steps:
- uses: actions/checkout@v4
- name: Setup dotnet
uses: actions/setup-dotnet@v4
with:
dotnet-version: |
3.1.x
5.0.x
- run: dotnet build <my project>
Supported version syntax
The dotnet-version input supports following syntax:
- A.B.C (e.g 6.0.400, 7.0.100-preview.7.22377.5) - installs exact version of .NET SDK
- A.B or A.B.x (e.g. 3.1, 3.1.x) - installs the latest patch version of .NET SDK on the channel
3.1, including prerelease versions (preview, rc) - A or A.x (e.g. 3, 3.x) - installs the latest minor version of the specified major tag, including prerelease versions (preview, rc)
- A.B.Cxx (e.g. 6.0.4xx) - available since
.NET 5.0release. Installs the latest version of the specific SDK release, including prerelease versions (preview, rc).
Using the dotnet-quality input
This input sets up the action to install the latest build of the specified quality in the channel. The possible values of dotnet-quality are: daily, signed, validated, preview, ga.
Note
:
dotnet-qualityinput can be used only with .NET SDK version in 'A.B', 'A.B.x', 'A', 'A.x' and 'A.B.Cxx' formats where the major version is higher than 5. In other cases,dotnet-qualityinput will be ignored.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '6.0.x'
dotnet-quality: 'preview'
- run: dotnet build <my project>
Using the global-json-file input
setup-dotnet action can read .NET SDK version from a global.json file. Input global-json-file is used for specifying the path to the global.json. If the file that was supplied to global-json-file input doesn't exist, the action will fail with error.
Note
: In case both
dotnet-versionandglobal-json-fileinputs are used, versions from both inputs will be installed.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
global-json-file: csharp/global.json
- run: dotnet build <my project>
working-directory: csharp
Caching NuGet Packages
The action has a built-in functionality for caching and restoring dependencies. It uses toolkit/cache under the hood for caching global packages data but requires less configuration settings. The cache input is optional, and caching is turned off by default.
The action searches for NuGet Lock files (packages.lock.json) in the repository root, calculates their hash and uses it as a part of the cache key. If lock file does not exist, this action throws error. Use cache-dependency-path for cases when multiple dependency files are used, or they are located in different subdirectories.
Warning
: Caching NuGet packages is available since .NET SDK 2.1.500 and 2.2.100 as the NuGet lock file is available only for NuGet 4.9 and above.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: 6.x
cache: true
- run: dotnet restore --locked-mode
Note
: This action will only restore
global-packagesfolder, so you will probably get the NU1403 error when runningdotnet restore. To avoid this, you can useDisableImplicitNuGetFallbackFolderoption.
<PropertyGroup>
<DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
</PropertyGroup>
Reduce caching size
Note
: Use
NUGET_PACKAGESenvironment variable if available. Some action runners already has huge libraries. (ex. Xamarin)
env:
NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: 6.x
cache: true
- run: dotnet restore --locked-mode
Caching NuGet packages in monorepos
env:
NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: 6.x
cache: true
cache-dependency-path: subdir/packages.lock.json
- run: dotnet restore --locked-mode
Matrix Testing
Using setup-dotnet it's possible to use matrix syntax to install several versions of .NET SDK:
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
dotnet: [ '2.1.x', '3.1.x', '5.0.x' ]
name: Dotnet ${{ matrix.dotnet }} sample
steps:
- uses: actions/checkout@v4
- name: Setup dotnet
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ matrix.dotnet }}
- name: Execute dotnet
run: dotnet build <my project>
Note
: Unless a concrete version is specified in the
global.jsonfile, the latest .NET version installed on the runner (including preinstalled versions) will be used by default. To control this behavior you may want to use temporaryglobal.jsonfiles:
Matrix testing with temporary global.json creation
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
dotnet: [ '2.1.x', '3.1.x', '5.0.x' ]
name: Dotnet ${{ matrix.dotnet }} sample
steps:
- uses: actions/checkout@v4
- name: Setup dotnet
uses: actions/setup-dotnet@v4
id: stepid
with:
dotnet-version: ${{ matrix.dotnet }}
- name: Create temporary global.json
run: echo '{"sdk":{"version": "${{ steps.stepid.outputs.dotnet-version }}"}}' > ./global.json
- name: Execute dotnet
run: dotnet build <my project>
Setting up authentication for nuget feeds
Github Package Registry (GPR)
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '3.1.x'
source-url: https://nuget.pkg.github.com/<owner>/index.json
env:
NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
- run: dotnet build <my project>
- name: Create the package
run: dotnet pack --configuration Release <my project>
- name: Publish the package to GPR
run: dotnet nuget push <my project>/bin/Release/*.nupkg
Azure Artifacts
- uses: actions/setup-dotnet@v4
with:
source-url: https://pkgs.dev.azure.com/<your-organization>/_packaging/<your-feed-name>/nuget/v3/index.json
env:
NUGET_AUTH_TOKEN: ${{secrets.AZURE_DEVOPS_PAT}} # Note, create a secret with this name in Settings
- name: Publish the package to Azure Artifacts
run: dotnet nuget push <my project>/bin/Release/*.nupkg
nuget.org
- uses: actions/setup-dotnet@v4
with:
dotnet-version: 3.1.x
- name: Publish the package to nuget.org
run: dotnet nuget push */bin/Release/*.nupkg -k $NUGET_AUTH_TOKEN -s https://api.nuget.org/v3/index.json
env:
NUGET_AUTH_TOKEN: ${{ secrets.NUGET_TOKEN }}
Note
: It's the only way to push a package to nuget.org feed for macOS/Linux machines due to API key config store limitations.
Outputs and environment variables
Outputs
dotnet-version
Using the dotnet-version output it's possible to get the installed by the action .NET SDK version.
Single version installation
In case of a single version installation, the dotnet-version output contains the version that is installed by the action.
- uses: actions/setup-dotnet@v4
id: stepid
with:
dotnet-version: 3.1.422
- run: echo '${{ steps.stepid.outputs.dotnet-version }}' # outputs 3.1.422
Multiple version installation
In case of a multiple version installation, the dotnet-version output contains the latest version that is installed by the action.
- uses: actions/setup-dotnet@v4
id: stepid
with:
dotnet-version: |
3.1.422
5.0.408
- run: echo '${{ steps.stepid.outputs.dotnet-version }}' # outputs 5.0.408
Installation from global.json
When the dotnet-version input is used along with the global-json-file input, the dotnet-version output contains the version resolved from the global.json.
- uses: actions/setup-dotnet@v4
id: stepid
with:
dotnet-version: |
3.1.422
5.0.408
global-json-file: "./global.json" # contains version 2.2.207
- run: echo '${{ steps.stepid.outputs.dotnet-version }}' # outputs 2.2.207
cache-hit
A boolean value to indicate an exact match was found for the cache key (follows actions/cache)
Environment variables
Some environment variables may be necessary for your particular case or to improve logging. Some examples are listed below, but the full list with complete details can be found here: https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-environment-variables
| Env.variable | Description | Default value |
|---|---|---|
| DOTNET_INSTALL_DIR | Specifies a directory where .NET SDKs should be installed by the action. | default value for each OS |
| DOTNET_NOLOGO | Removes logo and telemetry message from first run of dotnet cli | false |
| DOTNET_CLI_TELEMETRY_OPTOUT | Opt-out of telemetry being sent to Microsoft | false |
| DOTNET_MULTILEVEL_LOOKUP | Configures whether the global install location is used as a fall-back | true |
| NUGET_PACKAGES | Configures a path to the NuGet global-packages folder |
default value for each OS |
The default values of the DOTNET_INSTALL_DIR and NUGET_PACKAGES environment variables depend on the operation system which is used on a runner:
| Operation system | DOTNET_INSTALL_DIR |
NUGET_PACKAGES |
|---|---|---|
| Windows | C:\Program Files\dotnet |
%userprofile%\.nuget\packages |
| Ubuntu | /usr/share/dotnet |
~/.nuget/packages |
| macOS | /Users/runner/.dotnet |
~/.nuget/packages |
Example usage of environment variable:
build:
runs-on: ubuntu-latest
env:
DOTNET_INSTALL_DIR: "path/to/directory"
NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
steps:
- uses: actions/checkout@main
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '3.1.x'
cache: true
Recommended permissions
When using the setup-dotnet action in your GitHub Actions workflow, it is recommended to set the following permissions to ensure proper functionality:
permissions:
contents: read # access to check out code and install dependencies
License
The scripts and documentation in this project are released under the MIT License
Contributions
Contributions are welcome! See Contributor's Guide