Resolve hosts dynamically (#28)

GitHubSecurityLab · Jul 8, 2024 · f62d32c · f62d32c
1 parent b3e2b2b
commit f62d32c
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 35 deletions.
diff --git a/monitor/dist/index.js b/monitor/dist/index.js
@@ -123879,6 +123879,13 @@ async function run() {
       core.exportVariable('RUNNER_DEBUG', 1);
     }
 
+    const hosts = new Set();
+    hosts.add(process.env.GITHUB_SERVER_URL.split('/')[2].toLowerCase());
+    hosts.add(process.env.GITHUB_API_URL.split('/')[2].toLowerCase());
+    if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+      hosts.add(process.env.ACTIONS_ID_TOKEN_REQUEST_URL.split('/')[2].toLowerCase());
+    }
+
     if (!!core.getState('isPost')) {
 
       let rootDir = '';
@@ -123906,14 +123913,6 @@ async function run() {
 
       const results = JSON.parse(`[${data.trim().replace(/\r?\n|\r/g, ',')}]`);
 
-      const hosts = new Set();
-      hosts.add('api.github.com');
-      hosts.add('github.com');
-      if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
-        const host = process.env.ACTIONS_ID_TOKEN_REQUEST_URL.split('/')[2];
-        hosts.add(host.toLowerCase());
-      }
-
       let permissions = new Map();
       for (const result of results) {
         if (!hosts.has(result.host.toLowerCase()))
@@ -123967,7 +123966,7 @@ async function run() {
       core.saveState('isPost', true)
       const { spawn } = __nccwpck_require__(32081);
 
-      bashArgs = ['-e', 'setup.sh'];
+      bashArgs = ['-e', 'setup.sh', Array.from(hosts).join(",")];
       if (debug)
         bashArgs.unshift('-v');
 

diff --git a/monitor/index.js b/monitor/index.js
@@ -29,6 +29,13 @@ async function run() {
       core.exportVariable('RUNNER_DEBUG', 1);
     }
 
+    const hosts = new Set();
+    hosts.add(process.env.GITHUB_SERVER_URL.split('/')[2].toLowerCase());
+    hosts.add(process.env.GITHUB_API_URL.split('/')[2].toLowerCase());
+    if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+      hosts.add(process.env.ACTIONS_ID_TOKEN_REQUEST_URL.split('/')[2].toLowerCase());
+    }
+
     if (!!core.getState('isPost')) {
 
       let rootDir = '';
@@ -56,14 +63,6 @@ async function run() {
 
       const results = JSON.parse(`[${data.trim().replace(/\r?\n|\r/g, ',')}]`);
 
-      const hosts = new Set();
-      hosts.add('api.github.com');
-      hosts.add('github.com');
-      if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
-        const host = process.env.ACTIONS_ID_TOKEN_REQUEST_URL.split('/')[2];
-        hosts.add(host.toLowerCase());
-      }
-
       let permissions = new Map();
       for (const result of results) {
         if (!hosts.has(result.host.toLowerCase()))
@@ -117,7 +116,7 @@ async function run() {
       core.saveState('isPost', true)
       const { spawn } = require('child_process');
 
-      bashArgs = ['-e', 'setup.sh'];
+      bashArgs = ['-e', 'setup.sh', Array.from(hosts).join(",")];
       if (debug)
         bashArgs.unshift('-v');
 

diff --git a/monitor/mitm_plugin.py b/monitor/mitm_plugin.py
@@ -35,7 +35,7 @@ def is_public_repo(self, repo):
             return self.repo_map[repo]
 
         repo_path = 'repos' if '/' in repo else 'repositories'
-        url = f'https://api.github.com/{repo_path}/{repo}'
+        url = f'{ctx.options.GITHUB_API_URL}/{repo_path}/{repo}'
         response = requests.get(url, headers={'Authorization': 'Bearer %s' % ctx.options.token})
         if response.status_code == 200:
             self.repo_map[repo] = response.json()['private'] == False
@@ -248,11 +248,9 @@ def get_permission(self, path, method, query):
                     if id == 'issue_number':
                         url = ''
                         if path_segments[1] == 'repos':
-                            url = 'https://api.github.com/repos/%s/%s/pulls/%s' % (
-                                path_segments[2], path_segments[3], path_segments[5])
+                            url = f'{ctx.options.GITHUB_API_URL}/repos/{path_segments[2]}/{path_segments[3]}/pulls/{path_segments[5]}'
                         elif path_segments[1] == 'repositories':
-                            url = 'https://api.github.com/repositories/%s/pulls/%s' % (
-                                path_segments[2], path_segments[4])
+                            url = f'{ctx.options.GITHUB_API_URL}/repositories/{path_segments[2]}/pulls/path_segments[4]'
                         response = requests.get(
                             url, headers={'Authorization': 'Bearer %s' % ctx.options.token})
                         self.log_debug(
@@ -264,11 +262,9 @@ def get_permission(self, path, method, query):
                     elif id == 'comment_id':
                         url = ''
                         if path_segments[1] == 'repos':
-                            url = 'https://api.github.com/repos/%s/%s/issues/comments/%s' % (
-                                path_segments[2], path_segments[3], path_segments[6])
+                            url = f'{ctx.options.GITHUB_API_URL}/repos/{path_segments[2]}/{path_segments[3]}/issues/comments/{path_segments[6]}'
                         elif path_segments[1] == 'repositories':
-                            url = 'https://api.github.com/repositories/%s/issues/comments/%s' % (
-                                path_segments[2], path_segments[5])
+                            url = f'{ctx.options.GITHUB_API_URL}/repositories/{path_segments[2]}/issues/comments/{path_segments[5]}'
                         response = requests.get(
                             url, headers={'Authorization': 'Bearer %s' % ctx.options.token})
                         self.log_debug(
@@ -285,11 +281,9 @@ def get_permission(self, path, method, query):
                     elif id == 'event_id':
                         url = ''
                         if path_segments[1] == 'repos':
-                            url = 'https://api.github.com/repos/%s/%s/issues/events/%s' % (
-                                path_segments[2], path_segments[3], path_segments[6])
+                            url = f'{ctx.options.GITHUB_API_URL}/repos/{path_segments[2]}/{path_segments[3]}/issues/events/{path_segments[6]}'
                         elif path_segments[1] == 'repositories':
-                            url = 'https://api.github.com/repositories/%s/issues/events/%s' % (
-                                path_segments[2], path_segments[5])
+                            url = f'{ctx.options.GITHUB_API_URL}/repositories/{path_segments[2]}/issues/events/{path_segments[5]}'
                         response = requests.get(
                             url, headers={'Authorization': 'Bearer %s' % ctx.options.token})
                         self.log_debug(
@@ -451,6 +445,12 @@ def load(self, loader):
             default='',
             help='Comma delimited list of hosts to monitor',
         )
+        loader.add_option(
+            name='GITHUB_API_URL',
+            typespec=str,
+            default='',
+            help='GITHUB_API_URL environment variable',
+        )
 
     def log_debug(self, msg):
         if ctx.options.debug:
@@ -487,6 +487,10 @@ def configure(self, updates):
             print('error: GITHUB_REPOSITORY is empty')
             sys.exit(1)
 
+        if not bool(ctx.options.GITHUB_API_URL):
+            print('error: GITHUB_API_URL is empty')
+            sys.exit(1)
+
         self.id_token_request_url = None
         if bool(ctx.options.ACTIONS_ID_TOKEN_REQUEST_URL):
             self.id_token_request_url = urlsplit(ctx.options.ACTIONS_ID_TOKEN_REQUEST_URL)

diff --git a/monitor/setup.sh b/monitor/setup.sh
@@ -2,6 +2,20 @@
 
 set -e
 
+# build the filter regex for mitmproxy --allow-hosts
+filter='\b('
+first=true
+IFS=',' read -ra args <<< "$@"
+for arg in "${args[@]}"; do
+  if [ "$first" = true ] ; then
+    first=false
+  else
+    filter+='|'
+  fi
+  filter+=${arg//./\\.}
+done
+filter+=')(:\d+)?|$'
+
 if [ "$RUNNER_OS" = "macOS" ]; then
 
   echo "runner ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
@@ -65,19 +79,20 @@ if [ "$RUNNER_OS" = "macOS" ]; then
   sudo -u mitmproxyuser -H bash -e -c "cd /Users/mitmproxyuser && /Users/mitmproxyuser/mitmproxy/venv/bin/mitmdump \
           --mode transparent \
           --showhost \
-          --allow-hosts '\bgithub\.com(:\d+)$' \
+          --allow-hosts '$filter' \
           -q \
           `#--set termlog_verbosity=debug` \
           `#--set proxy_debug=true` \
           -s /Users/mitmproxyuser/mitm_plugin.py \
           --set output='/Users/mitmproxyuser/out.txt' \
           --set token='$INPUT_TOKEN' \
-          --set hosts='api.github.com,github.com' \
+          --set hosts=$@ \
           --set debug='$RUNNER_DEBUG' \
           --set ACTIONS_ID_TOKEN_REQUEST_URL='$ACTIONS_ID_TOKEN_REQUEST_URL' \
           --set ACTIONS_ID_TOKEN_REQUEST_TOKEN='$ACTIONS_ID_TOKEN_REQUEST_TOKEN' \
           --set GITHUB_REPOSITORY_ID='$GITHUB_REPOSITORY_ID' \
           --set GITHUB_REPOSITORY='$GITHUB_REPOSITORY' \
+          --set GITHUB_API_URL='$GITHUB_API_URL' \
           &"
           # >>/Users/mitmproxyuser/out.txt 2>&1
 
@@ -118,19 +133,20 @@ elif [ "$RUNNER_OS" = "Linux" ]; then
       /home/mitmproxyuser/mitmproxy/venv/bin/mitmdump \
           --mode transparent \
           --showhost \
-          --allow-hosts '\bgithub\.com(:\d+)$' \
+          --allow-hosts '$filter' \
           -q \
           `#--set termlog_verbosity=debug` \
           `#--set proxy_debug=true` \
           -s /home/mitmproxyuser/mitm_plugin.py \
           --set output='/home/mitmproxyuser/out.txt' \
           --set token='$INPUT_TOKEN' \
-          --set hosts='api.github.com,github.com' \
+          --set hosts=$@ \
           --set debug='$RUNNER_DEBUG' \
           --set ACTIONS_ID_TOKEN_REQUEST_URL='$ACTIONS_ID_TOKEN_REQUEST_URL' \
           --set ACTIONS_ID_TOKEN_REQUEST_TOKEN='$ACTIONS_ID_TOKEN_REQUEST_TOKEN' \
           --set GITHUB_REPOSITORY_ID='$GITHUB_REPOSITORY_ID' \
           --set GITHUB_REPOSITORY='$GITHUB_REPOSITORY' \
+          --set GITHUB_API_URL='$GITHUB_API_URL' \
           &"
           # >>/home/mitmproxyuser/out.txt 2>&1