From 5ba702de8052c674ac28ba723fd3f0f42c0f0433 Mon Sep 17 00:00:00 2001 From: Pascal Martel Date: Mon, 2 Aug 2021 07:41:07 -0400 Subject: [PATCH] Fix a potential security leak with ssh private keys and ignore empty keys --- dist/index.js | 10 ++++++++-- index.js | 10 ++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/dist/index.js b/dist/index.js index 6dbf026..b321c0e 100644 --- a/dist/index.js +++ b/dist/index.js @@ -166,11 +166,17 @@ try { console.log('Configuring deployment key(s)'); - child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) { + child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key, index) { + if (!key) { + console.log(`Ignoring empty key at position ${index}.`); + + return; + } + const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i); if (!parts) { - console.log(`Comment for key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); + console.log(`Comment for key at position ${index} does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); return; } diff --git a/index.js b/index.js index 1a4835e..d44bc2c 100644 --- a/index.js +++ b/index.js @@ -49,11 +49,17 @@ try { console.log('Configuring deployment key(s)'); - child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key) { + child_process.execFileSync(sshAdd, ['-L']).toString().split(/\r?\n/).forEach(function(key, index) { + if (!key) { + console.log(`Ignoring empty key at position ${index}.`); + + return; + } + const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i); if (!parts) { - console.log(`Comment for key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); + console.log(`Comment for key at position ${index} does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); return; }