Use vm.runInNewContext to run scripts

2026-02-08 03:57:27 +00:00 · 2020-01-10 06:16:33 -05:00 · 2020-01-10 06:16:33 -05:00 · d17db37305
commit d17db37305
parent 5bc9a17b5e
4 changed files with 100 additions and 9 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+dist/index.js linguist-generated=true
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,49 @@
+on:
+  pull_request: {branches: master}
+  push: {branches: master}
+  repository_dispatch:
+
+name: Test
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - id: run-script
+        uses: ./
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          result-encoding: string
+          script: |
+            const crypto = require('crypto')
+            const {promisify} = require('util')
+            const randomBytes = promisify(crypto.randomBytes)
+
+            const repo = await github.repos.get({
+              owner: 'actions',
+              repo: 'github-script'
+            })
+
+            console.log('repo.url', repo.url)
+            console.log('context.eventName', context.eventName)
+            console.log('input.result-encoding', actions.core.getInput('result-encoding'))
+
+            const bytes = await randomBytes(16)
+            return bytes.toString('hex')
+      - uses: ./
+        name: Invalid token
+        continue-on-error: true
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            #
+      - uses: ./
+        name: Throw error
+        continue-on-error: true
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            throw new Error('Whoops!')
+      - run: |
+          echo OUTPUT: ${{steps.run-script.outputs.result}}
--- a/dist/index.js
+++ b/dist/index.js
@ -1479,6 +1479,8 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var _actions_core__WEBPACK_IMPORTED_MODULE_0___default = /*#__PURE__*/__webpack_require__.n(_actions_core__WEBPACK_IMPORTED_MODULE_0__);
 /* harmony import */ var _actions_github__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(469);
 /* harmony import */ var _actions_github__WEBPACK_IMPORTED_MODULE_1___default = /*#__PURE__*/__webpack_require__.n(_actions_github__WEBPACK_IMPORTED_MODULE_1__);
+/* harmony import */ var vm__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(184);
+/* harmony import */ var vm__WEBPACK_IMPORTED_MODULE_2___default = /*#__PURE__*/__webpack_require__.n(vm__WEBPACK_IMPORTED_MODULE_2__);
 var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
@ -1489,11 +1491,11 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
 };


+
 process.on('unhandledRejection', handleError);
 main().catch(handleError);
 function main() {
    return __awaiter(this, void 0, void 0, function* () {
-        const AsyncFunction = Object.getPrototypeOf(() => __awaiter(this, void 0, void 0, function* () { })).constructor;
        const token = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('github-token', { required: true });
        const debug = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('debug');
        const userAgent = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('user-agent');
@ -1505,10 +1507,18 @@ function main() {
            opts.userAgent = userAgent;
        if (previews != null)
            opts.previews = previews.split(',');
-        const client = new _actions_github__WEBPACK_IMPORTED_MODULE_1__.GitHub(token, opts);
+        const github = new _actions_github__WEBPACK_IMPORTED_MODULE_1__.GitHub(token, opts);
        const script = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('script', { required: true });
-        const fn = new AsyncFunction('require', 'github', 'context', script);
-        const result = yield fn(__webpack_require__(875), client, _actions_github__WEBPACK_IMPORTED_MODULE_1__.context);
+        const fn = wrapFunction(script);
+        const result = yield vm__WEBPACK_IMPORTED_MODULE_2__.runInNewContext(fn, {
+            github,
+            console,
+            context: _actions_github__WEBPACK_IMPORTED_MODULE_1__.context,
+            actions: { core: _actions_core__WEBPACK_IMPORTED_MODULE_0__ },
+            require: __webpack_require__(875) // Otherwise, the build step will compile this incorrectly.
+        }, {
+            lineOffset: -1
+        });
        let encoding = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('result-encoding');
        encoding = encoding ? encoding : 'json';
        let output;
@ -1525,6 +1535,11 @@ function main() {
        _actions_core__WEBPACK_IMPORTED_MODULE_0__.setOutput('result', output);
    });
 }
+function wrapFunction(fn) {
+    return `(async function() {
+${fn}
+  })()`;
+}
 function handleError(err) {
    console.error(err);
    if (err && err.message) {
@ -1689,6 +1704,13 @@ module.exports = opts => {
 };


+/***/ }),
+
+/***/ 184:
+/***/ (function(module) {
+
+module.exports = require("vm");
+
 /***/ }),

 /***/ 190:
@ -11312,4 +11334,4 @@ function onceStrict (fn) {
 /******/ 	}();
 /******/ 	
 /******/ }
-);
+);
--- a/src/main.ts
+++ b/src/main.ts
@ -1,11 +1,11 @@
 import * as core from '@actions/core'
 import {context, GitHub} from '@actions/github'
+import * as vm from 'vm'

 process.on('unhandledRejection', handleError)
 main().catch(handleError)

 async function main() {
-  const AsyncFunction = Object.getPrototypeOf(async () => {}).constructor
  const token = core.getInput('github-token', {required: true})
  const debug = core.getInput('debug')
  const userAgent = core.getInput('user-agent')
@ -14,10 +14,23 @@ async function main() {
  if (debug === 'true') opts.log = console
  if (userAgent != null) opts.userAgent = userAgent
  if (previews != null) opts.previews = previews.split(',')
-  const client = new GitHub(token, opts)
+  const github = new GitHub(token, opts)
  const script = core.getInput('script', {required: true})
-  const fn = new AsyncFunction('require', 'github', 'context', script)
-  const result = await fn(require, client, context)
+  const fn = wrapFunction(script)
+
+  const result = await vm.runInNewContext(
+    fn,
+    {
+      github,
+      console,
+      context,
+      actions: {core},
+      require: require // Otherwise, the build step will compile this incorrectly.
+    },
+    {
+      lineOffset: -1
+    }
+  )

  let encoding = core.getInput('result-encoding')
  encoding = encoding ? encoding : 'json'
@ -38,6 +51,12 @@ async function main() {
  core.setOutput('result', output)
 }

+function wrapFunction(fn: string) {
+  return `(async function() {
+${fn}
+  })()`
+}
+
 function handleError(err: any) {
  console.error(err)