From 65ab4ab1c92ec9330303cf5ae978c35cca57ec52 Mon Sep 17 00:00:00 2001 From: Dave Buchanan Date: Wed, 25 Oct 2023 17:12:43 -0700 Subject: [PATCH 1/4] Adding a temporary fix to stop non-maintainers from RCE --- cicd/2-cicd/cicd.template.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 831955a..21e5e1e 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -152,7 +152,9 @@ Resources: Type: BASE_REF - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT - + # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) + - - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ + Type: ACTOR_ACCOUNT_ID # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. # It will perform any steps defined in the referenced buildspec.yml file. AppBuildProject: From 66feeba5c16fe99854df1c20d2a1520a7042b2d3 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Wed, 25 Oct 2023 20:30:05 -0500 Subject: [PATCH 2/4] include actor filter in main filter group --- cicd/2-cicd/cicd.template.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 21e5e1e..0faa7b6 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -152,8 +152,8 @@ Resources: Type: BASE_REF - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT - # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) - - - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ + # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) + - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ Type: ACTOR_ACCOUNT_ID # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. # It will perform any steps defined in the referenced buildspec.yml file. From 55d3213881a8095e744ad0dd28960a8a9590a592 Mon Sep 17 00:00:00 2001 From: Dave Buchanan Date: Thu, 26 Oct 2023 08:45:20 -0700 Subject: [PATCH 3/4] Switching to ID's --- cicd/2-cicd/cicd.template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 0faa7b6..f3f28d1 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -153,7 +153,7 @@ Resources: - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) - - Pattern: ^(AfifahK|allison-code-dot-org|amy-b|angD13|annaxuphoto|artem-vavilov|bakerfranke|bdmesh|bencodeorg|bethanyaconnor|breville|carl-codeorg|cat5inthecradle|cearachew|code-org|dancodedotorg|davidsbailey|daynew|deploy-cod-org|dju90|dmantonyuk|dmcavoy|ebeastlake|Erin007|etaderhold|fisher-alice|hadipartovi|Hamms|hannahbergam|jamjamgobambam|jmkulwik|jordan-springer|juanmanzojr|kakiha11|katiejofr|kelbyhawn|kobryan0619|levadadenys|lfryemason|maribethb|markabarrett|mcatullo|mgc1194|mikeharv|molly-moen|moneppo|nataliazm99|nicklathe|Nokondi|onlinecsteacher|pablo-code-org|rshipp|samantha-code|sanchitmalhotra126|simonguest|snickell|sureshc|tess323|thomasoniii|tjcodeorg|tshaffercodeorg|TurnerRiley|unlox775-code-dot-org|vijayamanohararaj|wilkie)$ + - Pattern: ^(31292421|113540108|10283727|105933103|16494556|11708250|11284819|8747128|25372625|46464143|2205926|131809324|7014619|7144482|5107622|68714964|8001765|1372238|5184438|2933346|137330041|208083|26844240|12300669|4108328|107423305|1859238|244100|37230822|82185575|8324574|38662275|137838584|95503833|117784268|9256643|24883357|22244040|25193259|8573958|29001621|113938636|66776217|43474485|33666587|5454101|98911841|8847422|5552007|65205145|108825710|1382374|126921802|85528507|769225|223277|2157034|14046120|1466175|137829631|142271809|56283563|146779710|124813947|31674)$ Type: ACTOR_ACCOUNT_ID # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. # It will perform any steps defined in the referenced buildspec.yml file. From 5455a3f4154a7318725ab0c94c920a99063e3141 Mon Sep 17 00:00:00 2001 From: Dave Buchanan Date: Thu, 26 Oct 2023 10:25:10 -0700 Subject: [PATCH 4/4] comment spelling --- cicd/2-cicd/cicd.template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index f3f28d1..ce51e37 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -152,7 +152,7 @@ Resources: Type: BASE_REF - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED Type: EVENT - # Manual PAUSE button, to disable non-GitHib-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) + # Manual PAUSE button, to disable non-GitHub-maintainers from triggering (we need to find a replacement for CodeBuild for this repo's CI, or make it not public) - Pattern: ^(31292421|113540108|10283727|105933103|16494556|11708250|11284819|8747128|25372625|46464143|2205926|131809324|7014619|7144482|5107622|68714964|8001765|1372238|5184438|2933346|137330041|208083|26844240|12300669|4108328|107423305|1859238|244100|37230822|82185575|8324574|38662275|137838584|95503833|117784268|9256643|24883357|22244040|25193259|8573958|29001621|113938636|66776217|43474485|33666587|5454101|98911841|8847422|5552007|65205145|108825710|1382374|126921802|85528507|769225|223277|2157034|14046120|1466175|137829631|142271809|56283563|146779710|124813947|31674)$ Type: ACTOR_ACCOUNT_ID # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release.