From ece61e3ef84e53d072c3076e9f6e2993e92e506d Mon Sep 17 00:00:00 2001
From: Michael Altfield <michael@michaelaltfield.net>
Date: Wed, 7 Aug 2024 14:28:38 -0500
Subject: [PATCH] update check for malicious unicode

 * https://github.com/maltfield/detect-malicious-unicode/issues/3
 * https://github.com/BusKill/buskill-app/pull/90#issuecomment-2273726507
---
 .github/workflows/unicode_warn.yml | 49 ++++++++++++++++++++++++++----
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/unicode_warn.yml b/.github/workflows/unicode_warn.yml
index 200ec954..ff168a0c 100644
--- a/.github/workflows/unicode_warn.yml
+++ b/.github/workflows/unicode_warn.yml
@@ -1,27 +1,34 @@
 ################################################################################
 # File:    .github/workflows/unicode_warn.yml
-# Version: 0.1
+# Version: 0.2
 # Purpose: Detects Unicode in PRs and comments the results of findings in PR
-#           * https://tech.michaelaltfield.net/bidi-unicode-github-defense/
 # Authors: Michael Altfield <michael@michaelaltfield.net>
 # Created: 2021-11-20
-# Updated: 2021-11-20
+# Updated: 2024-08-07
 ################################################################################
+# in main branch
 name: malicious_sanity_checks
  
 # execute this workflow automatically on all PRs
-on: [pull_request]
+on:
+  pull_request_target:
+    types: [opened, edited, synchronize, reopened, unlocked]
  
 jobs:
  
   unicode_warn:
- 
+
     runs-on: ubuntu-latest
     container: debian:bullseye-slim
- 
+
+    permissions:
+      issues: write
+      pull-requests: write
+
     steps:
  
     - name: Prereqs
+      continue-on-error: true
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
@@ -34,12 +41,31 @@ jobs:
       id: unicode_diff
       run: |
         set -x
+        git config --global --add safe.directory .
+        git config --global --add safe.directory "$(pwd)"
+        git branch -a
+        git log
+
         diff=`git diff --unified=0 ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | grep -E "^[+]" | grep -Ev '^(--- a/|\+\+\+ b/)'`
+        if [ $? -ne 0 ]; then
+          # there was an error in the diff
+          human_result="WARNING: git diff failed!"
+          echo "${human_result}"
+          exit 1
+        fi
+
         unicode_diff=`echo -n "${diff}" | grep -oP "[^\x00-\x7F]*"`
         unicode_grep_exit_code=$?
         echo "${unicode_diff}"
  
         unicode_diff_hexdump=`echo -n "${unicode_diff}" | hd`
+        if [ $? -ne 0 ]; then
+          # there was an error in the hexdump
+          human_result="WARNING: hexdump failed!"
+          echo "${human_result}"
+          exit 1
+        fi
+
         echo "${unicode_diff_hexdump}"
  
         # did we select any unicode characters?
@@ -75,3 +101,14 @@ jobs:
             repo: context.repo.repo,
             body: "${{ env.UNICODE_HUMAN_RESULT }}"
           })
+
+    # Exit with or without error
+    - name: Exit with or without error
+      run: |
+
+        if [[ "${{ env.UNICODE_HUMAN_RESULT }}" | grep -i "WARNING" ]]; then
+          exit 1
+        else
+          exit 0
+
+      shell: bash {0}