From a3df50d810270bd04381c7e4390c172b54402e3d Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Sun, 7 Nov 2021 12:08:22 +0100 Subject: [PATCH] tools: ensure the PR was not pushed before merging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using Squash and Merge feature, it would allow to a malicious actor to push unreviewed code to their PR while the CQ is running and bypass the usual checks. This commit adds a check to refuse to land if the head of the PR branch is different from the one validated by ncu. PR-URL: https://github.com/nodejs/node/pull/40747 Reviewed-By: Michaël Zasso Reviewed-By: Tobias Nießen Reviewed-By: Voltrex --- tools/actions/commit-queue.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/actions/commit-queue.sh b/tools/actions/commit-queue.sh index a1c182f39015ac..37b8cdcfc0fb68 100755 --- a/tools/actions/commit-queue.sh +++ b/tools/actions/commit-queue.sh @@ -110,7 +110,8 @@ for pr in "$@"; do jq -n \ --arg title "$(git log -1 --pretty='format:%s')" \ --arg body "$(git log -1 --pretty='format:%b')" \ - '{merge_method:"squash",commit_title:$title,commit_message:$body}' > output.json + --arg head "$(grep 'Fetched commits as' output | cut -d. -f3 | xargs git rev-parse)" \ + '{merge_method:"squash",commit_title:$title,commit_message:$body,sha:$head}' > output.json cat output.json gitHubCurl "$(mergeUrl "$pr")" PUT --data @output.json > output cat output