Skip to content

Commit e3b4bd0

Browse files
Prajwal-MicrosoftPrajwal-Microsoft
authored
Merge pull request #320 from microsoft/pipeline-securityfix
ci: Fixed Pipeline Security vulnerability
2 parents 53439a4 + 15fad72 commit e3b4bd0

4 files changed

Lines changed: 162 additions & 6 deletions

File tree

.github/workflows/deploy-orchestrator.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ jobs:
7878
secrets: inherit
7979

8080
deploy:
81-
if: "!cancelled() && (inputs.trigger_type != 'workflow_dispatch' || inputs.existing_webapp_url == '' || inputs.existing_webapp_url == null)"
81+
if: "!cancelled() && (needs.docker-build.result == 'success' || needs.docker-build.result == 'skipped') && (inputs.trigger_type != 'workflow_dispatch' || inputs.existing_webapp_url == '' || inputs.existing_webapp_url == null)"
8282
needs: docker-build
8383
uses: ./.github/workflows/job-deploy.yml
8484
with:

.github/workflows/job-deploy-linux.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -226,8 +226,8 @@ jobs:
226226
set -e
227227
228228
echo "Creating environment..."
229-
azd env new $ENV_NAME --no-prompt
230-
echo "Environment created: $ENV_NAME"
229+
azd env new "$INPUT_ENV_NAME" --no-prompt
230+
echo "Environment created: $INPUT_ENV_NAME"
231231
232232
echo "Setting default subscription..."
233233
azd config set defaults.subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
@@ -240,14 +240,14 @@ jobs:
240240
azd env set AZURE_ENV_IMAGETAG="$INPUT_IMAGE_TAG"
241241
242242
if [[ "$INPUT_BUILD_DOCKER_IMAGE" == "true" ]]; then
243-
ACR_NAME=$(echo "${{ secrets.ACR_TEST_LOGIN_SERVER }}")
243+
ACR_NAME="${{ secrets.ACR_TEST_LOGIN_SERVER }}"
244244
azd env set AZURE_ENV_ACR_NAME="$ACR_NAME"
245245
echo "Set ACR name to: $ACR_NAME"
246246
else
247247
echo "Skipping ACR name configuration (using existing image)"
248248
fi
249249
250-
if [[ "$EXP" == "true" ]]; then
250+
if [[ "$INPUT_EXP" == "true" ]]; then
251251
echo "✅ EXP ENABLED - Setting EXP parameters..."
252252
253253
if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then

.github/workflows/job-deploy-windows.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -231,7 +231,7 @@ jobs:
231231
Write-Host "Using Docker Image Tag: $env:INPUT_IMAGE_TAG"
232232
233233
Write-Host "Creating environment..."
234-
azd env new $env:INPUT_ENV_NAME --no-prompt
234+
azd env new "$env:INPUT_ENV_NAME" --no-prompt
235235
Write-Host "Environment created: $env:INPUT_ENV_NAME"
236236
237237
Write-Host "Setting default subscription..."

.github/workflows/job-send-notification.yml

Lines changed: 156 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,162 @@ jobs:
7777
env:
7878
accelerator_name: "Code Modernization"
7979
steps:
80+
- name: Validate Workflow Input Parameters
81+
shell: bash
82+
env:
83+
INPUT_TRIGGER_TYPE: ${{ inputs.trigger_type }}
84+
INPUT_WAF_ENABLED: ${{ inputs.waf_enabled }}
85+
INPUT_EXP: ${{ inputs.EXP }}
86+
INPUT_RUN_E2E_TESTS: ${{ inputs.run_e2e_tests }}
87+
INPUT_EXISTING_WEBAPP_URL: ${{ inputs.existing_webapp_url }}
88+
INPUT_DEPLOY_RESULT: ${{ inputs.deploy_result }}
89+
INPUT_E2E_TEST_RESULT: ${{ inputs.e2e_test_result }}
90+
INPUT_CONTAINER_WEB_APPURL: ${{ inputs.CONTAINER_WEB_APPURL }}
91+
INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
92+
INPUT_QUOTA_FAILED: ${{ inputs.QUOTA_FAILED }}
93+
INPUT_TEST_SUCCESS: ${{ inputs.TEST_SUCCESS }}
94+
INPUT_TEST_REPORT_URL: ${{ inputs.TEST_REPORT_URL }}
95+
run: |
96+
echo "🔍 Validating workflow input parameters..."
97+
VALIDATION_FAILED=false
98+
99+
# Validate trigger_type (required - alphanumeric with underscores)
100+
if [[ -z "$INPUT_TRIGGER_TYPE" ]]; then
101+
echo "❌ ERROR: trigger_type is required but was not provided"
102+
VALIDATION_FAILED=true
103+
elif [[ ! "$INPUT_TRIGGER_TYPE" =~ ^[a-zA-Z0-9_]+$ ]]; then
104+
echo "❌ ERROR: trigger_type '$INPUT_TRIGGER_TYPE' is invalid. Must contain only alphanumeric characters and underscores"
105+
VALIDATION_FAILED=true
106+
else
107+
echo "✅ trigger_type: '$INPUT_TRIGGER_TYPE' is valid"
108+
fi
109+
110+
# Validate waf_enabled (boolean)
111+
if [[ "$INPUT_WAF_ENABLED" != "true" && "$INPUT_WAF_ENABLED" != "false" ]]; then
112+
echo "❌ ERROR: waf_enabled must be 'true' or 'false', got: '$INPUT_WAF_ENABLED'"
113+
VALIDATION_FAILED=true
114+
else
115+
echo "✅ waf_enabled: '$INPUT_WAF_ENABLED' is valid"
116+
fi
117+
118+
# Validate EXP (boolean)
119+
if [[ "$INPUT_EXP" != "true" && "$INPUT_EXP" != "false" ]]; then
120+
echo "❌ ERROR: EXP must be 'true' or 'false', got: '$INPUT_EXP'"
121+
VALIDATION_FAILED=true
122+
else
123+
echo "✅ EXP: '$INPUT_EXP' is valid"
124+
fi
125+
126+
# Validate run_e2e_tests (specific allowed values)
127+
if [[ -n "$INPUT_RUN_E2E_TESTS" ]]; then
128+
ALLOWED_VALUES=("None" "GoldenPath-Testing" "Smoke-Testing")
129+
if [[ ! " ${ALLOWED_VALUES[@]} " =~ " ${INPUT_RUN_E2E_TESTS} " ]]; then
130+
echo "❌ ERROR: run_e2e_tests '$INPUT_RUN_E2E_TESTS' is invalid. Allowed values: ${ALLOWED_VALUES[*]}"
131+
VALIDATION_FAILED=true
132+
else
133+
echo "✅ run_e2e_tests: '$INPUT_RUN_E2E_TESTS' is valid"
134+
fi
135+
fi
136+
137+
# Validate existing_webapp_url (must start with https if provided)
138+
if [[ -n "$INPUT_EXISTING_WEBAPP_URL" ]]; then
139+
if [[ ! "$INPUT_EXISTING_WEBAPP_URL" =~ ^https:// ]]; then
140+
echo "❌ ERROR: existing_webapp_url must start with 'https://', got: '$INPUT_EXISTING_WEBAPP_URL'"
141+
VALIDATION_FAILED=true
142+
else
143+
echo "✅ existing_webapp_url: '$INPUT_EXISTING_WEBAPP_URL' is valid"
144+
fi
145+
fi
146+
147+
# Validate deploy_result (required, must be specific values)
148+
if [[ -z "$INPUT_DEPLOY_RESULT" ]]; then
149+
echo "❌ ERROR: deploy_result is required but not provided"
150+
VALIDATION_FAILED=true
151+
else
152+
ALLOWED_DEPLOY_RESULTS=("success" "failure" "skipped")
153+
if [[ ! " ${ALLOWED_DEPLOY_RESULTS[@]} " =~ " ${INPUT_DEPLOY_RESULT} " ]]; then
154+
echo "❌ ERROR: deploy_result '$INPUT_DEPLOY_RESULT' is invalid. Allowed values: ${ALLOWED_DEPLOY_RESULTS[*]}"
155+
VALIDATION_FAILED=true
156+
else
157+
echo "✅ deploy_result: '$INPUT_DEPLOY_RESULT' is valid"
158+
fi
159+
fi
160+
161+
# Validate e2e_test_result (required, must be specific values)
162+
if [[ -z "$INPUT_E2E_TEST_RESULT" ]]; then
163+
echo "❌ ERROR: e2e_test_result is required but not provided"
164+
VALIDATION_FAILED=true
165+
else
166+
ALLOWED_TEST_RESULTS=("success" "failure" "skipped")
167+
if [[ ! " ${ALLOWED_TEST_RESULTS[@]} " =~ " ${INPUT_E2E_TEST_RESULT} " ]]; then
168+
echo "❌ ERROR: e2e_test_result '$INPUT_E2E_TEST_RESULT' is invalid. Allowed values: ${ALLOWED_TEST_RESULTS[*]}"
169+
VALIDATION_FAILED=true
170+
else
171+
echo "✅ e2e_test_result: '$INPUT_E2E_TEST_RESULT' is valid"
172+
fi
173+
fi
174+
175+
# Validate CONTAINER_WEB_APPURL (must start with https if provided)
176+
if [[ -n "$INPUT_CONTAINER_WEB_APPURL" ]]; then
177+
if [[ ! "$INPUT_CONTAINER_WEB_APPURL" =~ ^https:// ]]; then
178+
echo "❌ ERROR: CONTAINER_WEB_APPURL must start with 'https://', got: '$INPUT_CONTAINER_WEB_APPURL'"
179+
VALIDATION_FAILED=true
180+
else
181+
echo "✅ CONTAINER_WEB_APPURL: '$INPUT_CONTAINER_WEB_APPURL' is valid"
182+
fi
183+
fi
184+
185+
# Validate RESOURCE_GROUP_NAME (Azure resource group naming convention if provided)
186+
if [[ -n "$INPUT_RESOURCE_GROUP_NAME" ]]; then
187+
if [[ ! "$INPUT_RESOURCE_GROUP_NAME" =~ ^[a-zA-Z0-9._\(\)-]+$ ]] || [[ "$INPUT_RESOURCE_GROUP_NAME" =~ \.$ ]]; then
188+
echo "❌ ERROR: RESOURCE_GROUP_NAME '$INPUT_RESOURCE_GROUP_NAME' is invalid. Must contain only alphanumerics, periods, underscores, hyphens, and parentheses. Cannot end with period."
189+
VALIDATION_FAILED=true
190+
elif [[ ${#INPUT_RESOURCE_GROUP_NAME} -gt 90 ]]; then
191+
echo "❌ ERROR: RESOURCE_GROUP_NAME '$INPUT_RESOURCE_GROUP_NAME' exceeds 90 characters"
192+
VALIDATION_FAILED=true
193+
else
194+
echo "✅ RESOURCE_GROUP_NAME: '$INPUT_RESOURCE_GROUP_NAME' is valid"
195+
fi
196+
fi
197+
198+
# Validate QUOTA_FAILED (must be 'true' or 'false')
199+
if [[ "$INPUT_QUOTA_FAILED" != "true" && "$INPUT_QUOTA_FAILED" != "false" ]]; then
200+
echo "❌ ERROR: QUOTA_FAILED must be 'true' or 'false', got: '$INPUT_QUOTA_FAILED'"
201+
VALIDATION_FAILED=true
202+
else
203+
echo "✅ QUOTA_FAILED: '$INPUT_QUOTA_FAILED' is valid"
204+
fi
205+
206+
# Validate TEST_SUCCESS (must be 'true' or 'false' or empty)
207+
if [[ -n "$INPUT_TEST_SUCCESS" ]]; then
208+
if [[ "$INPUT_TEST_SUCCESS" != "true" && "$INPUT_TEST_SUCCESS" != "false" ]]; then
209+
echo "❌ ERROR: TEST_SUCCESS must be 'true', 'false', or empty, got: '$INPUT_TEST_SUCCESS'"
210+
VALIDATION_FAILED=true
211+
else
212+
echo "✅ TEST_SUCCESS: '$INPUT_TEST_SUCCESS' is valid"
213+
fi
214+
fi
215+
216+
# Validate TEST_REPORT_URL (must start with https if provided)
217+
if [[ -n "$INPUT_TEST_REPORT_URL" ]]; then
218+
if [[ ! "$INPUT_TEST_REPORT_URL" =~ ^https:// ]]; then
219+
echo "❌ ERROR: TEST_REPORT_URL must start with 'https://', got: '$INPUT_TEST_REPORT_URL'"
220+
VALIDATION_FAILED=true
221+
else
222+
echo "✅ TEST_REPORT_URL: '$INPUT_TEST_REPORT_URL' is valid"
223+
fi
224+
fi
225+
226+
# Fail workflow if any validation failed
227+
if [[ "$VALIDATION_FAILED" == "true" ]]; then
228+
echo ""
229+
echo "❌ Parameter validation failed. Please correct the errors above and try again."
230+
exit 1
231+
fi
232+
233+
echo ""
234+
echo "✅ All input parameters validated successfully!"
235+
80236
- name: Determine Test Suite Display Name
81237
id: test_suite
82238
shell: bash

0 commit comments

Comments
 (0)