Escape category names

Ensure category names are sanitized before converting them to an environment variable.
github · Nov 4, 2021 · 4764f83 · 4764f83
1 parent 730dae8
commit 4764f83
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 7 deletions.
diff --git a/lib/actions-util.js b/lib/actions-util.js
diff --git a/lib/actions-util.js.map b/lib/actions-util.js.map
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
diff --git a/lib/upload-lib.js.map b/lib/upload-lib.js.map
diff --git a/lib/upload-lib.test.js b/lib/upload-lib.test.js
diff --git a/lib/upload-lib.test.js.map b/lib/upload-lib.test.js.map
diff --git a/src/actions-util.ts b/src/actions-util.ts
@@ -85,6 +85,7 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
     core.info(
       `Failed to call git to get current commit. Continuing with data from environment: ${e}`
     );
+    core.info((e as Error).stack || "NO STACK");
     return getRequiredEnvParam("GITHUB_SHA");
   }
 };

diff --git a/src/upload-lib.test.ts b/src/upload-lib.test.ts
@@ -185,4 +185,14 @@ test("validateUniqueCategory", (t) => {
 
   t.notThrows(() => uploadLib.validateUniqueCategory("def"));
   t.throws(() => uploadLib.validateUniqueCategory("def"));
+
+  // Our category sanitization is not perfect. Here are some examples
+  // of where we see false clashes
+  t.notThrows(() => uploadLib.validateUniqueCategory("abc/def"));
+  t.throws(() => uploadLib.validateUniqueCategory("abc@def"));
+  t.throws(() => uploadLib.validateUniqueCategory("abc_def"));
+  t.throws(() => uploadLib.validateUniqueCategory("abc def"));
+
+  // this one is fine
+  t.notThrows(() => uploadLib.validateUniqueCategory("abc_ def"));
 });
diff --git a/src/upload-lib.ts b/src/upload-lib.ts
@@ -404,15 +404,29 @@ async function uploadFiles(
 export function validateUniqueCategory(category: string | undefined) {
   if (util.isActions()) {
     // This check only works on actions as env vars don't persist between calls to the runner
-    const sentinelEnvVar = `CODEQL_UPLOAD_SARIF + ${
-      category ? `_${category}` : ""
+    const sentinelEnvVar = `CODEQL_UPLOAD_SARIF${
+      category ? `_${sanitize(category)}` : ""
     }`;
     if (process.env[sentinelEnvVar]) {
       throw new Error(
         "Aborting upload: only one run of the codeql/analyze or codeql/upload-sarif actions is allowed per job per category. " +
-          "Please specify a unique `category` to call this action multiple times."
+          "Please specify a unique `category` to call this action multiple times. " +
+          `Category: ${category ? category : "(none)"}`
       );
     }
     core.exportVariable(sentinelEnvVar, sentinelEnvVar);
   }
 }
+
+/**
+ * Santizes a string to be used as an environment variable name.
+ * This will replace all non-alphanumeric characters with underscores.
+ * There could still be some false category clashes if two uploads
+ * occur that differ only in their non-alphanumeric characters. This is
+ * unlikely.
+ *
+ * @param str the initial value to sanitize
+ */
+function sanitize(str: string) {
+  return str.replace(/[^a-zA-Z0-9_]/g, "_");
+}