Merge pull request 'fix(security): prevent script injection in rc-revert workflow' (#324) from feature/harden-rc-revert-injection into dev

2026-06-27 02:32:26 +00:00
parent 27c19ccbaa 3972b91169
commit 282a56258c
39 changed files with 57 additions and 52 deletions
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: mokocli.Automation
-# VERSION: 09.38.04
+# VERSION: 09.38.05
 # BRIEF: Auto-create feature branch when an issue is opened

 name: "Universal: Issue Branch"
@@ -29,12 +29,20 @@ jobs:

    steps:
      - name: Rename branch
+        env:
+          BRANCH: ${{ github.event.pull_request.head.ref }}
+          REPO: ${{ github.repository }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
-          BRANCH="${{ github.event.pull_request.head.ref }}"
+          set -euo pipefail
+          # BRANCH is attacker-controlled (PR head ref). Strict allowlist before ANY use.
+          if ! printf '%s' "$BRANCH" | grep -Eq '^rc/[A-Za-z0-9._/-]+$'; then
+            echo "::error::Refusing unsafe branch name: $BRANCH"; exit 1
+          fi
          SUFFIX="${BRANCH#rc/}"
          DEV_BRANCH="dev/${SUFFIX}"
-          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${REPO}/branches"

          # Create dev/ branch from rc/ branch
          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
@@ -42,25 +50,22 @@ jobs:
            -H "Content-Type: application/json" \
            -d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
            "${API}" 2>/dev/null || true)
-
          if [ "$STATUS" = "201" ]; then
-            echo "Created branch: ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+            echo "Created branch: ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
          else
-            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"
-            exit 1
+            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"; exit 1
          fi

-          # Delete rc/ branch
-          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+          # Read BRANCH from the environment inside PHP (getenv, no string interpolation -> no PHP injection)
+          ENCODED=$(php -r 'echo rawurlencode(getenv("BRANCH"));')
          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
            -H "Authorization: token ${TOKEN}" \
            "${API}/${ENCODED}" 2>/dev/null || true)
-
          if [ "$STATUS" = "204" ]; then
-            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+            echo "Deleted branch: ${BRANCH}" >> "$GITHUB_STEP_SUMMARY"
          else
            echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
          fi

-          echo "### RC Reverted" >> $GITHUB_STEP_SUMMARY
-          echo "${BRANCH} → ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+          echo "### RC Reverted" >> "$GITHUB_STEP_SUMMARY"
+          echo "${BRANCH} → ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
@@ -6,7 +6,7 @@ DEFGROUP: MokoPlatform.Root
 INGROUP: MokoPlatform
 REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 PATH: /README.md
-VERSION: 09.38.04
+VERSION: 09.38.05
 BRIEF: Project overview and documentation
 -->

@@ -13,7 +13,7 @@
 * INGROUP: MokoPlatform.Scripts
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /automation/update_dependencies.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Cross-repo dependency update automation — scan, update, PR, auto-merge
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/branch_rename.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Rename a git branch via Gitea API (create new, update PR, delete old)
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/bulk_workflow_push.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Push a workflow file to all governed repos via the Gitea Contents API
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/bulk_workflow_trigger.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Trigger a workflow across multiple repos at once
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/client_dashboard.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Generate unified client dashboard HTML
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/client_inventory.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Discover and list all client-waas repos with their server configuration status
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/client_provision.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Provision a new client environment end-to-end
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/grafana_dashboard.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Manage Grafana dashboards via API
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/joomla_build.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Build a Joomla extension ZIP from manifest — all types supported
 * NOTE: Called by pre-release and auto-release workflows.
 */
@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/joomla_metadata_validate.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Validate MokoGitea repo metadata against Joomla extension manifest XML
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/manifest_detect.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Auto-detect manifest fields from source files and optionally push to API
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/manifest_integrity.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Cross-check manifest API fields against repo contents across the org
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/manifest_licensing.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Ensure licensing tags (updateservers, dlid) in Joomla extension manifests
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/manifest_read.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Read repo metadata from Gitea manifest API, auto-detect the rest
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/platform_detect.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Auto-detect repository platform type and optionally update manifest
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/release_cascade.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Cascade release zip to all lower stability channels
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/release_publish.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Publish a release and create copies for all lesser stability streams.
 */

@@ -12,7 +12,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/scaffold_client.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Scaffold a new client-waas repo from Template-Client-WaaS with pre-configured settings
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/updates_xml_sync.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Sync updates.xml to target branches via Gitea API
 * NOTE: Called by pre-release and auto-release workflows after updates.xml
 *       is modified on the current branch. Pushes the file to other branches
@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/version_auto_bump.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Auto patch-bump, set stability suffix, and commit — single CLI replacing inline workflow bash
 */

@@ -368,7 +368,7 @@ class VersionBumpCli extends CliFramework
    /**
     * Scan git release tags for the highest version across all channels.
     *
-     * Checks release names like "MokoSuiteClient (VERSION: 09.38.04)" in
+     * Checks release names like "MokoSuiteClient (VERSION: 09.38.05)" in
     * git tags (stable, release-candidate, development, etc.) to find the
     * highest version that has been released on any channel.
     */
@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/version_check.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Validate version consistency across README, manifests, and sub-packages
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/wiki_sync.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Sync select wiki pages from mokocli to all template repos
 */

@@ -10,7 +10,7 @@
 * INGROUP: mokocli
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /cli/workflow_sync.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Sync workflows from Generic → platform templates → live repos based on manifest.platform
 */

@@ -12,7 +12,7 @@
 * INGROUP: MokoPlatform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /deploy/backup-before-deploy.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Snapshot Joomla directories before deployment for rollback capability
 */

@@ -12,7 +12,7 @@
 * INGROUP: MokoPlatform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /deploy/deploy-dolibarr.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Deploy Dolibarr module files to a remote server via SFTP/rsync
 */

@@ -12,7 +12,7 @@
 * INGROUP: MokoPlatform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /deploy/health-check.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Post-deploy health check — verify a Joomla site is responding correctly
 */

@@ -12,7 +12,7 @@
 * INGROUP: MokoPlatform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /deploy/rollback-joomla.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Rollback a Joomla deployment by restoring from a pre-deploy snapshot
 */

@@ -12,7 +12,7 @@
 * INGROUP: MokoPlatform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /deploy/sync-joomla.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Sync Joomla site directories between two servers via rsync over SSH
 */

@@ -14,7 +14,7 @@
 	DEFGROUP: dolibarr-api-mcp.Documentation
 	INGROUP: dolibarr-api-mcp
 	REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
-	VERSION: 09.38.04
+	VERSION: 09.38.05
 	PATH: ./CONTRIBUTING.md
 	BRIEF: Contribution guidelines for the project
 -->
@@ -10,7 +10,7 @@ DEFGROUP: dolibarr-api-mcp.Documentation
 INGROUP: dolibarr-api-mcp
 REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
 PATH: /SECURITY.md
-VERSION: 09.38.04
+VERSION: 09.38.05
 BRIEF: Security vulnerability reporting and handling policy
 -->

@@ -14,7 +14,7 @@
 	DEFGROUP: 
 	INGROUP: Project.Documentation
 	REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCli-Template-Generic
-	VERSION: 09.38.04
+	VERSION: 09.38.05
 	PATH: ./CONTRIBUTING.md
 	BRIEF: Contribution guidelines for the project
 -->
@@ -23,7 +23,7 @@ DEFGROUP: [PROJECT_NAME]
 INGROUP: [PROJECT_NAME].Documentation
 REPO: [REPOSITORY_URL]
 PATH: /SECURITY.md
-VERSION: 09.38.04
+VERSION: 09.38.05
 BRIEF: Security vulnerability reporting and handling policy
 -->

@@ -63,7 +63,7 @@ class VersionBumpTest extends TestCase
    {
        file_put_contents(
            "{$this->tmpDir}/README.md",
-            "<!-- VERSION: 09.38.04 -->\nSome content\n"
+            "<!-- VERSION: 09.38.05 -->\nSome content\n"
        );

        $this->execute();
@@ -34,7 +34,7 @@ class VersionReadTest extends TestCase
    {
        file_put_contents(
            "{$this->tmpDir}/README.md",
-            "# Test\n<!-- VERSION: 09.38.04 -->\n"
+            "# Test\n<!-- VERSION: 09.38.05 -->\n"
        );

        $this->assertSame('02.03.04', trim($this->runScript()));
@@ -68,7 +68,7 @@ class VersionReadTest extends TestCase
    {
        file_put_contents(
            "{$this->tmpDir}/README.md",
-            "<!-- VERSION: 09.38.04 -->\n"
+            "<!-- VERSION: 09.38.05 -->\n"
        );
        mkdir("{$this->tmpDir}/src", 0755, true);
        file_put_contents(
@@ -12,7 +12,7 @@
 * INGROUP: MokoPlatform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 * PATH: /validate/check_file_integrity.php
- * VERSION: 09.38.04
+ * VERSION: 09.38.05
 * BRIEF: Compare deployed files on a remote server against the local repository to detect drift
 */