From efcf614b5d8a11ca5489349120abc6d31c9e16a4 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Wed, 24 Sep 2025 12:40:15 +0100 Subject: [PATCH 1/4] Refactor assembling `Authorization` header value into its own function --- lib/analyze-action.js | 17 +++++++++++++---- lib/init-action-post.js | 17 +++++++++++++---- lib/init-action.js | 17 +++++++++++++---- lib/upload-lib.js | 17 +++++++++++++---- lib/upload-sarif-action.js | 17 +++++++++++++---- src/api-client.ts | 31 ++++++++++++++++++++++++++++++- src/setup-codeql.ts | 12 +++++------- 7 files changed, 100 insertions(+), 28 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 164ad518f7..49f3b45392 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90198,6 +90198,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Downloading ${purpose} without an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -92391,11 +92399,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 7b156fce4b..3fb9af1433 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -128417,6 +128417,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Downloading ${purpose} without an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -130334,11 +130342,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/init-action.js b/lib/init-action.js index 52b99d6310..08a67d16e4 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86053,6 +86053,14 @@ function getApiClient() { function getApiClientWithExternalAuth(apiDetails) { return createApiClientWithDetails(apiDetails, { allowExternal: true }); } +function getAuthorizationHeaderFor(logger, apiDetails, url, purpose = "CodeQL tools") { + if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Downloading ${purpose} without an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -89163,11 +89171,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index d644a7ed41..aee61387c6 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88544,6 +88544,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Downloading ${purpose} without an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -90162,11 +90170,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index c3ded2faa6..f9de677a5b 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88796,6 +88796,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Downloading ${purpose} without an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -90863,11 +90871,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/src/api-client.ts b/src/api-client.ts index 8e4a30c571..baef744c9e 100644 --- a/src/api-client.ts +++ b/src/api-client.ts @@ -4,6 +4,7 @@ import * as retry from "@octokit/plugin-retry"; import consoleLogLevel from "console-log-level"; import { getActionVersion, getRequiredInput } from "./actions-util"; +import { Logger } from "./logging"; import { getRepositoryNwo, RepositoryNwo } from "./repository"; import { ConfigurationError, @@ -54,7 +55,7 @@ function createApiClientWithDetails( ); } -export function getApiDetails() { +export function getApiDetails(): GitHubApiDetails { return { auth: getRequiredInput("token"), url: getRequiredEnvParam("GITHUB_SERVER_URL"), @@ -72,6 +73,34 @@ export function getApiClientWithExternalAuth( return createApiClientWithDetails(apiDetails, { allowExternal: true }); } +/** + * Gets a value for the `Authorization` header to download `url` or `undefined` if the + * `Authorization` header should not be set for `url`. + * + * @param logger The logger to use for debugging messages. + * @param apiDetails Details of the GitHub API we are using. + * @param url The URL for which we want to add an `Authorization` header. + * @param purpose A description of what we want to download, for debug messages. + * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated. + */ +export function getAuthorizationHeaderFor( + logger: Logger, + apiDetails: GitHubApiDetails, + url: string, + purpose: string = "CodeQL tools", +): string | undefined { + if ( + url.startsWith(`${apiDetails.url}/`) || + (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) + ) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + + logger.debug(`Downloading ${purpose} without an authorization token.`); + return undefined; +} + let cachedGitHubVersion: GitHubVersion | undefined = undefined; export async function getGitHubVersionFromApi( diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 5a0f671fa5..1bdaf8685b 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -574,14 +574,12 @@ export const downloadCodeQL = async function ( let authorization: string | undefined = undefined; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if ( - codeqlURL.startsWith(`${apiDetails.url}/`) || - (apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) - ) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = api.getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL, + ); } const toolcacheInfo = getToolcacheDestinationInfo( From d43f46c39ce20fce7bfa131dd6a604a1ca4009eb Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Wed, 24 Sep 2025 12:40:57 +0100 Subject: [PATCH 2/4] Set `Authorization` header for downloading `update-job-proxy` --- lib/start-proxy-action.js | 37 ++++++++++++++++++++++++++----------- src/start-proxy-action.ts | 13 ++++++++++++- 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 98ec2e533e..e0568fa95b 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -49356,17 +49356,8 @@ var persistInputs = function() { core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; -// src/logging.ts -var core5 = __toESM(require_core()); -function getActionsLogger() { - return core5; -} - -// src/start-proxy.ts -var core7 = __toESM(require_core()); - // src/api-client.ts -var core6 = __toESM(require_core()); +var core5 = __toESM(require_core()); var githubUtils = __toESM(require_utils4()); var retry = __toESM(require_dist_node15()); var import_console_log_level = __toESM(require_console_log_level()); @@ -49391,6 +49382,23 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url, purpose = "CodeQL tools") { + if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token to download ${purpose}.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Downloading ${purpose} without an authorization token.`); + return void 0; +} + +// src/logging.ts +var core6 = __toESM(require_core()); +function getActionsLogger() { + return core6; +} + +// src/start-proxy.ts +var core7 = __toESM(require_core()); // src/defaults.json var bundleVersion = "codeql-bundle-v2.23.1"; @@ -49682,10 +49690,17 @@ async function getProxyBinaryPath(logger) { const proxyInfo = await getDownloadUrl(logger); let proxyBin = toolcache.find(proxyFileName, proxyInfo.version); if (!proxyBin) { + const apiDetails = getApiDetails(); + const authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + proxyInfo.url, + "`update-job-proxy`" + ); const temp = await toolcache.downloadTool( proxyInfo.url, void 0, - void 0, + authorization, { accept: "application/octet-stream" } diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index c0a8d3c7f9..6413b0b171 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -6,6 +6,7 @@ import * as toolcache from "@actions/tool-cache"; import { pki } from "node-forge"; import * as actionsUtil from "./actions-util"; +import { getApiDetails, getAuthorizationHeaderFor } from "./api-client"; import { getActionsLogger, Logger } from "./logging"; import { Credential, @@ -192,10 +193,20 @@ async function getProxyBinaryPath(logger: Logger): Promise { let proxyBin = toolcache.find(proxyFileName, proxyInfo.version); if (!proxyBin) { + // We only want to provide an authorization header if we are downloading + // from the same GitHub instance the Action is running on. + // This avoids leaking Enterprise tokens to dotcom. + const apiDetails = getApiDetails(); + const authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + proxyInfo.url, + "`update-job-proxy`", + ); const temp = await toolcache.downloadTool( proxyInfo.url, undefined, - undefined, + authorization, { accept: "application/octet-stream", }, From 4e820a4ca43a039f7a611deeaee1e484f9abd9f2 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Wed, 24 Sep 2025 15:50:19 +0100 Subject: [PATCH 3/4] Apply review feedback --- lib/analyze-action.js | 6 +++--- lib/init-action-post.js | 6 +++--- lib/init-action.js | 6 +++--- lib/start-proxy-action.js | 9 ++++----- lib/upload-lib.js | 6 +++--- lib/upload-sarif-action.js | 6 +++--- src/api-client.ts | 12 +++++++----- src/setup-codeql.ts | 6 ++---- src/start-proxy-action.ts | 4 ---- 9 files changed, 28 insertions(+), 33 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 49f3b45392..cb366248c5 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90198,12 +90198,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 3fb9af1433..6bd6b06666 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -128417,12 +128417,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/init-action.js b/lib/init-action.js index 08a67d16e4..2758142972 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86053,12 +86053,12 @@ function getApiClient() { function getApiClientWithExternalAuth(apiDetails) { return createApiClientWithDetails(apiDetails, { allowExternal: true }); } -function getAuthorizationHeaderFor(logger, apiDetails, url, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url) { if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index e0568fa95b..cdd24f132a 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -49382,12 +49382,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url) { if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url}' without an authorization token.`); return void 0; } @@ -49694,8 +49694,7 @@ async function getProxyBinaryPath(logger) { const authorization = getAuthorizationHeaderFor( logger, apiDetails, - proxyInfo.url, - "`update-job-proxy`" + proxyInfo.url ); const temp = await toolcache.downloadTool( proxyInfo.url, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index aee61387c6..098e658dab 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88544,12 +88544,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index f9de677a5b..fe51a2785c 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88796,12 +88796,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/src/api-client.ts b/src/api-client.ts index baef744c9e..3ab3db47f6 100644 --- a/src/api-client.ts +++ b/src/api-client.ts @@ -74,30 +74,32 @@ export function getApiClientWithExternalAuth( } /** - * Gets a value for the `Authorization` header to download `url` or `undefined` if the + * Gets a value for the `Authorization` header for a request to `url`; or `undefined` if the * `Authorization` header should not be set for `url`. * * @param logger The logger to use for debugging messages. * @param apiDetails Details of the GitHub API we are using. * @param url The URL for which we want to add an `Authorization` header. - * @param purpose A description of what we want to download, for debug messages. + * * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated. */ export function getAuthorizationHeaderFor( logger: Logger, apiDetails: GitHubApiDetails, url: string, - purpose: string = "CodeQL tools", ): string | undefined { + // We only want to provide an authorization header if we are downloading + // from the same GitHub instance the Action is running on. + // This avoids leaking Enterprise tokens to dotcom. if ( url.startsWith(`${apiDetails.url}/`) || (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) ) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url}' without an authorization token.`); return undefined; } diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 1bdaf8685b..e147a31129 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -567,11 +567,9 @@ export const downloadCodeQL = async function ( const headers: OutgoingHttpHeaders = { accept: "application/octet-stream", }; - // We only want to provide an authorization header if we are downloading - // from the same GitHub instance the Action is running on. - // This avoids leaking Enterprise tokens to dotcom. - // We also don't want to send an authorization header if there's already a token provided in the URL. let authorization: string | undefined = undefined; + + // We don't want to send an authorization header if there's already a token provided in the URL. if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); } else { diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index 6413b0b171..9592b904bb 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -193,15 +193,11 @@ async function getProxyBinaryPath(logger: Logger): Promise { let proxyBin = toolcache.find(proxyFileName, proxyInfo.version); if (!proxyBin) { - // We only want to provide an authorization header if we are downloading - // from the same GitHub instance the Action is running on. - // This avoids leaking Enterprise tokens to dotcom. const apiDetails = getApiDetails(); const authorization = getAuthorizationHeaderFor( logger, apiDetails, proxyInfo.url, - "`update-job-proxy`", ); const temp = await toolcache.downloadTool( proxyInfo.url, From 6ccec2ac145855dc9503368583b43c58419687af Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Wed, 24 Sep 2025 18:54:49 +0100 Subject: [PATCH 4/4] Remove `url` from log messages --- lib/analyze-action.js | 4 ++-- lib/init-action-post.js | 4 ++-- lib/init-action.js | 4 ++-- lib/start-proxy-action.js | 4 ++-- lib/upload-lib.js | 4 ++-- lib/upload-sarif-action.js | 4 ++-- src/api-client.ts | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index cb366248c5..1f1f3c853c 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90200,10 +90200,10 @@ function getApiClient() { } function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token for '${url2}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url2}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 6bd6b06666..7a7ce67f62 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -128419,10 +128419,10 @@ function getApiClient() { } function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token for '${url2}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url2}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/init-action.js b/lib/init-action.js index 2758142972..1ebc7eaa34 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86055,10 +86055,10 @@ function getApiClientWithExternalAuth(apiDetails) { } function getAuthorizationHeaderFor(logger, apiDetails, url) { if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token for '${url}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index cdd24f132a..87f808a68c 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -49384,10 +49384,10 @@ function getApiClient() { } function getAuthorizationHeaderFor(logger, apiDetails, url) { if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token for '${url}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return void 0; } diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 098e658dab..dee9770554 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88546,10 +88546,10 @@ function getApiClient() { } function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token for '${url2}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url2}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index fe51a2785c..abec389a6d 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88798,10 +88798,10 @@ function getApiClient() { } function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token for '${url2}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url2}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/src/api-client.ts b/src/api-client.ts index 3ab3db47f6..86134b7f89 100644 --- a/src/api-client.ts +++ b/src/api-client.ts @@ -95,11 +95,11 @@ export function getAuthorizationHeaderFor( url.startsWith(`${apiDetails.url}/`) || (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) ) { - logger.debug(`Providing an authorization token for '${url}'.`); + logger.debug(`Providing an authorization token.`); return `token ${apiDetails.auth}`; } - logger.debug(`Requesting '${url}' without an authorization token.`); + logger.debug(`Not using an authorization token.`); return undefined; }