Sanitize S3 Key, Debug Input, Licenses 2025-07-24 (#18)

* Sanitize S3 Key, Debug Input, Licenses 2025-07-24

Signed-off-by: Julio Jimenez <[email protected]>

* licenses

Signed-off-by: Julio Jimenez <[email protected]>

* licenses

Signed-off-by: Julio Jimenez <[email protected]>

* debug condition

Signed-off-by: Julio Jimenez <[email protected]>

* licenses

Signed-off-by: Julio Jimenez <[email protected]>

---------

Signed-off-by: Julio Jimenez <[email protected]>

Author: juliojimenez

README.md

@@ -125,11 +125,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -168,11 +168,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -215,7 +215,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate Token
         id: generate-token
@@ -226,7 +226,7 @@ jobs:
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -278,7 +278,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate Token
         id: generate-token
@@ -291,7 +291,7 @@ jobs:
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -342,7 +342,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate Token
         id: generate-token
@@ -355,7 +355,7 @@ jobs:
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -386,7 +386,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate Token
         id: generate-token
@@ -397,7 +397,7 @@ jobs:
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -440,7 +440,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate Token
         id: generate-token
@@ -451,7 +451,7 @@ jobs:
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -502,11 +502,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session
@@ -553,11 +553,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
         id: aws-creds
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
           role-session-name: clickbom-session

action.yml

@@ -118,6 +118,10 @@ inputs:
     description: 'Comma-separated list of filenames or patterns to exclude when merging (only used with merge=true)'
     required: false
     default: ''
+  debug:
+    description: 'Enable debug logging'
+    required: false
+    default: 'false'
 runs:
   using: 'docker'
   image: 'Dockerfile'
@@ -160,6 +164,7 @@ runs:
     MERGE: ${{ inputs.merge }}
     INCLUDE: ${{ inputs.include }}
     EXCLUDE: ${{ inputs.exclude }}
+    DEBUG: ${{ inputs.debug }}
 branding:
   icon: 'list'
   color: 'yellow'

entrypoint.sh

@@ -18,7 +18,9 @@ NC='\033[0m' # No Color
 
 # Logging functions
 log_debug() {
-    echo -e "${ORANGE}[DEBUG]${NC} $1"
+    if [[ "${DEBUG:-false}" == "true" ]]; then
+        echo -e "${ORANGE}[DEBUG]${NC} $1"
+    fi
 }
 
 log_info() {

lib/sanitize.sh

@@ -105,6 +105,29 @@ sanitize_s3_bucket() {
     echo "$sanitized"
 }
 
+# Sanitize S3 key
+sanitize_s3_key() {
+    local key="$1"
+    
+    # S3 keys can contain most characters but we'll be restrictive for security
+    local sanitized
+    sanitized=$(echo "$key" | sed 's/[^a-zA-Z0-9._/-]//g')
+    
+    # Prevent path traversal attempts
+    sanitized=$(echo "$sanitized" | sed 's/\.\.//g' | sed 's/\/\+/\//g')
+    
+    # Remove leading/trailing slashes
+    sanitized=$(echo "$sanitized" | sed 's/^\/*//' | sed 's/\/*$//')
+    
+    if [[ -z "$sanitized" ]]; then
+        log_error "Invalid S3 key: $key"
+        log_error "S3 key must contain valid characters and cannot be empty"
+        exit 1
+    fi
+    
+    echo "$sanitized"
+}
+
 # Main sanitization function - sanitizes all environment variables
 sanitize_inputs() {
     log_debug "Sanitizing input parameters..."
@@ -222,10 +245,10 @@ sanitize_inputs() {
         log_debug "Sanitized S3_BUCKET: $S3_BUCKET"
     fi
 
-    # if [[ -n "${S3_KEY:-}" ]]; then
-    #     S3_KEY=$(sanitize_s3_key "$S3_KEY")
-    #     log_debug "Sanitized S3_KEY: $S3_KEY"
-    # fi
+    if [[ -n "${S3_KEY:-}" ]]; then
+        S3_KEY=$(sanitize_s3_key "$S3_KEY")
+        log_debug "Sanitized S3_KEY: $S3_KEY"
+    fi
 
     # ClickHouse inputs
     if [[ -n "${CLICKHOUSE_URL:-}" ]]; then

license-mappings.json

@@ -86,8 +86,33 @@
   "fyne.io/systray": "Apache-2.0",
   "git.sr.ht/~sbinet/gg": "MIT",
   "github.com/4meepo/tagalign": "MIT",
+  "github.com/Abirdcfly/dupword": "MIT",
+  "github.com/AdaLogics/go-fuzz-headers": "Apache-2.0",
   "github.com/andybalholm/brotli": "MIT",
+  "github.com/Antonboom/errname": "MIT",
+  "github.com/Antonboom/nilnil": "MIT",
+  "github.com/Antonboom/testifylint": "MIT",
+  "github.com/Azure/azure-amqp-common-go/v3": "MIT",
+  "github.com/Azure/azure-pipeline-go": "MIT",
+  "github.com/Azure/azure-sdk-for-go-extensions": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT",
+  "github.com/Azure/azure-storage-blob-go": "MIT",
+  "github.com/Azure/go-amqp": "MIT",
   "github.com/Azure/go-ansiterm": "MIT",
+  "github.com/AzureAD/microsoft-authentication-library-for-go": "MIT",
+  "github.com/BurntSushi/toml": "MIT",
   "github.com/cenkalti/backoff/v4": "MIT",
   "github.com/ClickHouse/ch-go": "Apache-2.0",
   "github.com/containerd/errdefs": "Apache-2.0",

test/simple.bats

@@ -516,4 +516,60 @@ EOF
     run sanitize_s3_bucket "invalid-bucket-"
     [ "$status" -eq 1 ]
     [[ "$output" == *"Invalid S3 bucket name"* ]]
-}
+}
+
+# Test 52: sanitize_s3_key accepts valid S3 key
+@test "sanitize_s3_key accepts valid key" {
+    run sanitize_s3_key "path/to/file.json"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "path/to/file.json" ]]
+}
+
+# Test 53: sanitize_s3_key removes dangerous characters
+@test "sanitize_s3_key removes dangerous characters" {
+    run sanitize_s3_key "path/to/file\$bad.json"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "path/to/filebad.json" ]]
+}
+
+# Test 54: sanitize_s3_key prevents path traversal
+@test "sanitize_s3_key prevents path traversal" {
+    run sanitize_s3_key "../../../etc/passwd"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "etc/passwd" ]]
+}
+
+# Test 55: sanitize_s3_key removes multiple slashes
+@test "sanitize_s3_key removes multiple slashes" {
+    run sanitize_s3_key "path//to///file.json"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "path/to/file.json" ]]
+}
+
+# Test 56: sanitize_s3_key removes leading slash
+@test "sanitize_s3_key removes leading slash" {
+    run sanitize_s3_key "/path/to/file.json"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "path/to/file.json" ]]
+}
+
+# Test 57: sanitize_s3_key removes trailing slash
+@test "sanitize_s3_key removes trailing slash" {
+    run sanitize_s3_key "path/to/file.json/"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "path/to/file.json" ]]
+}
+
+# Test 58: sanitize_s3_key rejects empty key
+@test "sanitize_s3_key rejects empty key" {
+    run sanitize_s3_key ""
+    [ "$status" -eq 1 ]
+    [[ "$output" == *"Invalid S3 key"* ]]
+}
+
+# Test 59: sanitize_s3_key rejects key with only invalid characters
+@test "sanitize_s3_key rejects key with only invalid characters" {
+    run sanitize_s3_key "\$%^&*()"
+    [ "$status" -eq 1 ]
+    [[ "$output" == *"Invalid S3 key"* ]]
+}