diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index e5ba7b98..afde7fe5 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -9,6 +9,8 @@ jobs: changesets: name: Changesets runs-on: ubuntu-latest + permissions: + contents: read steps: # Checkout this repository - name: Checkout Repo diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml index 997e3bbc..96ff7b74 100644 --- a/.github/workflows/contracts.yml +++ b/.github/workflows/contracts.yml @@ -11,6 +11,8 @@ jobs: contracts_run_ts_tests: name: Run Typescript Tests runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 @@ -31,6 +33,8 @@ jobs: contracts_run_cairo_tests: name: Run Cairo Tests runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml index 200364d3..e118a8d3 100644 --- a/.github/workflows/examples.yml +++ b/.github/workflows/examples.yml @@ -11,6 +11,8 @@ jobs: run_examples_tests: name: Run Tests runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 94f4e2f4..7f239c73 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -7,6 +7,8 @@ jobs: golangci-lint-version: name: Get golangci-lint version to from nix runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 @@ -30,6 +32,8 @@ jobs: golang_lint_relayer: name: Golang Lint Relayer runs-on: ubuntu-latest + permissions: + contents: read needs: [golangci-lint-version] steps: - name: Checkout sources diff --git a/.github/workflows/integration_gauntlet.yml b/.github/workflows/integration_gauntlet.yml index 3ebd2f60..b294867e 100644 --- a/.github/workflows/integration_gauntlet.yml +++ b/.github/workflows/integration_gauntlet.yml @@ -13,6 +13,8 @@ jobs: env: CI: true runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v5 with: @@ -39,6 +41,8 @@ jobs: integration_gauntlet_run_tests: name: Run Integration Gauntlet Tests runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 976cfa23..f7d59932 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,6 +11,8 @@ jobs: lint_format_check: name: Format Check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.github/workflows/relayer.yml b/.github/workflows/relayer.yml index d4d7a1e9..46617903 100644 --- a/.github/workflows/relayer.yml +++ b/.github/workflows/relayer.yml @@ -11,6 +11,8 @@ jobs: relayer_run_unit_tests: name: Run Unit Tests ${{ matrix.test-type.name }} runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml index e13d6f1f..0c3e7e62 100644 --- a/.github/workflows/sonar-scan.yml +++ b/.github/workflows/sonar-scan.yml @@ -7,6 +7,8 @@ jobs: wait_for_workflows: name: Wait for workflows runs-on: ubuntu-latest + permissions: + contents: read if: always() steps: - name: Checkout Repository @@ -31,6 +33,8 @@ jobs: name: SonarQube Scan needs: [wait_for_workflows] runs-on: ubuntu-latest + permissions: + contents: read if: always() steps: - name: Checkout the repo diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index aaeaf9e6..d9d033fa 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -11,6 +11,8 @@ jobs: zizmor_analyzer: name: Zizmor runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.helm-repositories.yaml b/.helm-repositories.yaml index 4f875a2b..d18c2ec2 100644 --- a/.helm-repositories.yaml +++ b/.helm-repositories.yaml @@ -1,3 +1,5 @@ +# Helm repository config for public charts. Empty password/username fields are intentional - +# these are public chart repositories (bitnami, chainlink-qa, grafana) that do not require authentication. apiVersion: '' generated: '0001-01-01T00:00:00Z' repositories: diff --git a/ops/localenv/main.go b/ops/localenv/main.go index e1ed097d..1f18196f 100644 --- a/ops/localenv/main.go +++ b/ops/localenv/main.go @@ -8,6 +8,7 @@ import ( "os/exec" "strings" "sync" + "unicode" "github.com/smartcontractkit/chainlink-starknet/ops/utils" ) @@ -87,7 +88,7 @@ func run(name string, f string, args ...string) { panic(err) } - // stream output to cmd line + // stream output to cmd line (sanitized to prevent log injection) var wg sync.WaitGroup wg.Add(2) go func() { @@ -98,7 +99,7 @@ func run(name string, f string, args ...string) { wg.Done() break } - fmt.Print(string(p[:n])) + fmt.Print(sanitizeForLog(string(p[:n]))) } }() go func() { @@ -109,7 +110,7 @@ func run(name string, f string, args ...string) { wg.Done() break } - fmt.Print(string(p[:n])) + fmt.Print(sanitizeForLog(string(p[:n]))) } }() @@ -122,3 +123,19 @@ func run(name string, f string, args ...string) { panic(err) } } + +// sanitizeForLog replaces control characters to prevent log injection from subprocess output. +func sanitizeForLog(s string) string { + var b strings.Builder + for _, r := range s { + switch { + case r == '\n', r == '\r': + b.WriteString(" ") + case unicode.IsControl(r): + b.WriteString(" ") + default: + b.WriteRune(r) + } + } + return b.String() +}