Skip to content

chore: Cherry-pick v2.16-master#130

Closed
anurag-stepsecurity wants to merge 2 commits into
mainfrom
cherry-pick-v2.16-master
Closed

chore: Cherry-pick v2.16-master#130
anurag-stepsecurity wants to merge 2 commits into
mainfrom
cherry-pick-v2.16-master

Conversation

@anurag-stepsecurity

Copy link
Copy Markdown
Contributor

No description provided.

Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
@anurag-stepsecurity

Copy link
Copy Markdown
Contributor Author

📦 Target Release Version: v2.18
📋 Previous Release Version: v2.16

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Node-based action review - see inline comments for details.

1 similar comment
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Node-based action review - see inline comments for details.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

PR Review

Action Type

Node-based action (uses node24 runtime with dist/index.js entry point).


Passed Checks

  • License file present in repository
  • action.yml present with author: step-security
  • SECURITY.md present
  • FUNDING.yml not present
  • .github/workflows/auto_cherry_pick.yml present
  • .github/workflows/actions_release.yml present
  • renovate.json not present
  • PULL_REQUEST.md not present
  • ISSUE_TEMPLATE folder not present
  • CHANGELOG.md not present
  • .vscode folder not present
  • README.md uses only major version tag (step-security/increment@v2) - no full semver tag
  • README.md contains the StepSecurity Maintained Action banner
  • Subscription check present and calls correct URL (https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription)
  • Upstream value "action-pack/increment" correctly matches original-owner/repo-name from auto_cherry_pick.yml
  • package.json repository field contains step-security
  • dist folder present with compiled index.js
  • package.json has a build script (no need to verify script input in workflow files)

Failed Checks

  • LICENSE missing original author copyright - LICENSE only contains Copyright (c) 2024 StepSecurity. Must also credit the original upstream author (action-pack/increment).

  • Unused dependency @actions/http-client - Declared in package.json dependencies but never imported or used in index.js. All HTTP calls are made via axios. This unused dependency should be removed.


Warnings

  • The name == empty string empty-name guard is placed inside the first try block. While functionally correct today (a plain Error has no .status so it is not silently swallowed by the 404 check), the intent would be clearer if this guard is placed before the try block, ahead of the getVariable call.

Security Findings

  • POSITIVE: This PR adds encodeURIComponent() to variable names in URL construction for setVariable and getVariable, preventing URL-path injection via crafted variable names. This is a security improvement.
  • POSITIVE: Broken ANSI escape sequences (missing ESC prefix) are fixed with correct Unicode escapes; the old code emitted raw bracket characters to logs instead of colors.
  • No new security vulnerabilities introduced.

Summary

The cherry-pick brings meaningful correctness improvements (strict amount parsing, URL-safe encoding, ANSI escape fix) from upstream. Two issues must be resolved before merging: the LICENSE file must also credit the original upstream author alongside StepSecurity, and the unused @actions/http-client dependency must be removed from package.json.

Comment thread index.js

let url = "PATCH " + path_();
url += "/actions/variables/" + name;
url += "/actions/variables/" + encodeURIComponent(name);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good fix: adding encodeURIComponent() here prevents URL-path injection if a variable name contains /, ?, #, or other special characters. Same fix applied correctly to getVariable at the equivalent line below.

Comment thread index.js

try {

if (name === "") {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This guard works correctly — a plain new Error(...) has no .status property, so the catch clause will not swallow it silently (it sees e.status !== 404 → true → calls setFailed and returns). However, the intent would be clearer if this check is moved before the outer try block, since there is no reason to attempt the API call when the name is already known to be empty.

@anurag-stepsecurity

Copy link
Copy Markdown
Contributor Author

Superseded by #132.

@anurag-stepsecurity anurag-stepsecurity deleted the cherry-pick-v2.16-master branch July 9, 2026 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant