diff --git a/src/Runner.Common/Constants.cs b/src/Runner.Common/Constants.cs index 4f8694d53..a5074b7e0 100644 --- a/src/Runner.Common/Constants.cs +++ b/src/Runner.Common/Constants.cs @@ -140,6 +140,9 @@ namespace GitHub.Runner.Common public static readonly string InternalTelemetryIssueDataKey = "_internal_telemetry"; public static readonly string WorkerCrash = "WORKER_CRASH"; + public static readonly string UnsupportedCommand = "UNSUPPORTED_COMMAND"; + public static readonly string UnsupportedCommandMessage = "The `{0}` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/"; + public static readonly string UnsupportedCommandMessageDisabled = "The `{0}` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/"; } public static class RunnerEvent @@ -198,6 +201,7 @@ namespace GitHub.Runner.Common // // Keep alphabetical // + public static readonly string AllowUnsupportedCommands = "ACTIONS_ALLOW_UNSECURE_COMMANDS"; public static readonly string RunnerDebug = "ACTIONS_RUNNER_DEBUG"; public static readonly string StepDebug = "ACTIONS_STEP_DEBUG"; } diff --git a/src/Runner.Worker/ActionCommandManager.cs b/src/Runner.Worker/ActionCommandManager.cs index be96a4514..0cd99e57b 100644 --- a/src/Runner.Worker/ActionCommandManager.cs +++ b/src/Runner.Worker/ActionCommandManager.cs @@ -1,4 +1,5 @@ using GitHub.DistributedTask.Pipelines; +using GitHub.DistributedTask.Pipelines.ContextData; using GitHub.DistributedTask.WebApi; using GitHub.Runner.Common.Util; using GitHub.Runner.Worker.Container; @@ -183,6 +184,40 @@ namespace GitHub.Runner.Worker public void ProcessCommand(IExecutionContext context, string line, ActionCommand command, ContainerInfo container) { + var configurationStore = HostContext.GetService(); + var isHostedServer = configurationStore.GetSettings().IsHostedServer; + + var allowUnsecureCommands = false; + bool.TryParse(Environment.GetEnvironmentVariable(Constants.Variables.Actions.AllowUnsupportedCommands), out allowUnsecureCommands); + + // Apply environment from env context, env context contains job level env and action's env block +#if OS_WINDOWS + var envContext = context.ExpressionValues["env"] as DictionaryContextData; +#else + var envContext = context.ExpressionValues["env"] as CaseSensitiveDictionaryContextData; +#endif + if (!allowUnsecureCommands && envContext.ContainsKey(Constants.Variables.Actions.AllowUnsupportedCommands)) + { + bool.TryParse(envContext[Constants.Variables.Actions.AllowUnsupportedCommands].ToString(), out allowUnsecureCommands); + } + + // TODO: Eventually remove isHostedServer and apply this to dotcom customers as well + if (!isHostedServer && !allowUnsecureCommands) + { + throw new Exception(String.Format(Constants.Runner.UnsupportedCommandMessageDisabled, this.Command)); + } + else if (!allowUnsecureCommands) + { + // Log Telemetry and let user know they shouldn't do this + var issue = new Issue() + { + Type = IssueType.Warning, + Message = String.Format(Constants.Runner.UnsupportedCommandMessage, this.Command) + }; + issue.Data[Constants.Runner.InternalTelemetryIssueDataKey] = Constants.Runner.UnsupportedCommand; + context.AddIssue(issue); + } + if (!command.Properties.TryGetValue(SetEnvCommandProperties.Name, out string envName) || string.IsNullOrEmpty(envName)) { throw new Exception("Required field 'name' is missing in ##[set-env] command."); @@ -282,6 +317,40 @@ namespace GitHub.Runner.Worker public void ProcessCommand(IExecutionContext context, string line, ActionCommand command, ContainerInfo container) { + var configurationStore = HostContext.GetService(); + var isHostedServer = configurationStore.GetSettings().IsHostedServer; + + var allowUnsecureCommands = false; + bool.TryParse(Environment.GetEnvironmentVariable(Constants.Variables.Actions.AllowUnsupportedCommands), out allowUnsecureCommands); + + // Apply environment from env context, env context contains job level env and action's env block +#if OS_WINDOWS + var envContext = context.ExpressionValues["env"] as DictionaryContextData; +#else + var envContext = context.ExpressionValues["env"] as CaseSensitiveDictionaryContextData; +#endif + if (!allowUnsecureCommands && envContext.ContainsKey(Constants.Variables.Actions.AllowUnsupportedCommands)) + { + bool.TryParse(envContext[Constants.Variables.Actions.AllowUnsupportedCommands].ToString(), out allowUnsecureCommands); + } + + // TODO: Eventually remove isHostedServer and apply this to dotcom customers as well + if (!isHostedServer && !allowUnsecureCommands) + { + throw new Exception(String.Format(Constants.Runner.UnsupportedCommandMessageDisabled, this.Command)); + } + else if (!allowUnsecureCommands) + { + // Log Telemetry and let user know they shouldn't do this + var issue = new Issue() + { + Type = IssueType.Warning, + Message = String.Format(Constants.Runner.UnsupportedCommandMessage, this.Command) + }; + issue.Data[Constants.Runner.InternalTelemetryIssueDataKey] = Constants.Runner.UnsupportedCommand; + context.AddIssue(issue); + } + ArgUtil.NotNullOrEmpty(command.Data, "path"); context.Global.PrependPath.RemoveAll(x => string.Equals(x, command.Data, StringComparison.CurrentCulture)); context.Global.PrependPath.Add(command.Data);