mirror of
https://github.com/actions/cache.git
synced 2026-06-06 17:14:21 +00:00
45 lines
1.7 KiB
JavaScript
45 lines
1.7 KiB
JavaScript
// @ts-check
|
|
/**
|
|
* save-poisoned-cache.mjs
|
|
*
|
|
* Helper script used by the path-validation E2E workflow to upload a cache
|
|
* archive that contains entries outside the declared `path` inputs. This
|
|
* simulates a poisoned cache that would have been produced by a build job
|
|
* that had write access to the workspace's parent directory (the canonical
|
|
* cache-poisoning scenario being defended against).
|
|
*
|
|
* Usage:
|
|
* node save-poisoned-cache.mjs <cache-key> <declared-path> [extra-path ...]
|
|
*
|
|
* The script invokes `@actions/cache.saveCache()` with the declared path(s)
|
|
* AND extra paths that escape the workspace. The toolkit's saveCache packs
|
|
* everything into the archive, so the resulting cache entry will contain
|
|
* "escape" entries that resolve outside the declared `path` when the action's
|
|
* `restore` step later extracts it (because the restore step only declares the
|
|
* legitimate `path`).
|
|
*
|
|
* Important: this script is NOT shipped to users. It is purely a test fixture
|
|
* generator used by the E2E workflow to validate that the action's client-side
|
|
* validation correctly rejects (or warns about) such caches.
|
|
*/
|
|
|
|
import * as cache from '@actions/cache';
|
|
|
|
const [, , key, ...paths] = process.argv;
|
|
|
|
if (!key || paths.length === 0) {
|
|
console.error(
|
|
'Usage: node save-poisoned-cache.mjs <cache-key> <path> [extra-path ...]'
|
|
);
|
|
process.exit(2);
|
|
}
|
|
|
|
console.log(`Saving poisoned cache with key="${key}" paths=${JSON.stringify(paths)}`);
|
|
|
|
try {
|
|
const cacheId = await cache.saveCache(paths, key);
|
|
console.log(`Saved poisoned cache (cacheId=${cacheId})`);
|
|
} catch (err) {
|
|
console.error(`Failed to save poisoned cache: ${err?.message ?? err}`);
|
|
process.exit(1);
|
|
}
|