Commit messages for sync-wiki cannot have backticks
MarkZH opened this issue · comments
Describe the bug
When this commit was pushed to master, an error occurred due to the commit messages having backticks (``). The bot attempted to execute the commands within backticks as it went through each line of the commit message.
In short, backticks must be removed or escaped from commit messages before sync-wiki action bot runs. Furthermore, since the message is bracketed by parentheses in the automated commit message, only the first line of the commit message should be included.
Logs
Look at the logs of this test run and expand the Run cp -r ... line to see the effects.
Expected behavior
The backticks are escaped or removed from commit messages and only the first line is included.
System:
From Github action configuration:
- OS: Ubuntu 22.04.3 LTS
- Terminal interpreter: bash
Possible fix
git commit -m "Auto update wiki/Home.md ($(head -n1 <<< ${{ github.event.head_commit.message }} | tr -d \`))"$(...): the bashism for interpolating command-line outputhead -n1 <<< ${{ github.event.head_commit.message }}: Take only the first line (<<<is string redirection tostdin)... | tr -d \`: Remove backticks from the message
I don't think that error had anything to do with using ``. This is in fact an expected bug with that commit. I spoke about it in the pull request itself:
#810 (comment)
The first workflow will give an error since there are no changes to the wiki dir as compared to the wiki page, but afterwards any changes made to the wiki dir will directly be reflected in the wiki.
If you don't want this error on first run then either I can make a change to the wiki dir now or I can add the tag --allow-empty-commit before commiting changes like this: git commit --allow-empty-commit "Update wiki".
This occurs because when the wiki/ dir was created, as per github the files in the wiki/ path were updated and this means that it should run the sync-wiki workflow. Now when the workflow runs it sees that there is a change to the wiki/Home.md file, when in fact there was no change the file was just created. So it copies the contents in the Home.md file to the README.md. But, there is no difference, so when the workflow comes to the stage where it needs to commit it tried to commit, but github says there isn't any change so you cannot make a commit and send an error.
I tried to explain it as best as I could. Sorry if I just made it more confusing.
But the wiki does also run the commit messages which have ``. But that has nothing to do with the error:
On branch master
Your branch is up to date with 'origin/master'.
Untracked files:
(use "git add <file>..." to include in what will be committed)
lichess-bot.wiki/
nothing added to commit but untracked files present (use "git add" to track)
Error: Process completed with exit code 1.
Here's a test run in my repository with the same commit message and the files were edited: https://github.com/TheYoBots/lichess-bot/actions/runs/5950420455/job/16138179065
While this is persistant:
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: bullet_requires_increment: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: wiki/Home.md: Permission denied
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: README.md: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: wiki/Home.md: Permission denied
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: README.md: command not found
This is how the commit message looks: TheYoBots@b702be1
I think a fix would be that the owners of the repository can edit the message before squash and merging into the repository. Instead of all commits add a short description on what the PR does and the merge. And sometimes even edit the pull request name (commit message) if it has nothing to do with the pull request. This way even others who check a commit will get a gist of what the commit does.
@TheYoBots I understand the action didn't complete due to there being no edits to the wiki. The actions can still run despite the command line errors.
However, even if the backticks don't cause a problem with running the actions, it's still trying to execute arbitrary code. For an extreme example, a commit message could contain Fix documentation (`git branch --delete master`), which would be rather catastrophic. Or maybe something like Sneaky commit to reveal secrets (`echo ${{ github.secrets }} > mail.eml; send_email mail.eml` nothing to see here).
I think it's better not to include the commit message at all. Requiring inspection by people or complicated post-processing seems to unreliable. Wouldn't the commit before the Auto action contain all the necessary information in the commit message?
@AttackingOrDefending Any thoughts?
I agree that removing the commit message is probably the best and simplest solution. The reason that I suggested including the commit message is so that when someone looks at the wiki history they don't just see Auto update wiki which doesn't provide any meaningful information but I didn't think about arbitrary code execution.
We should also probably create branch protection rules to avoid such senarios.
Fixed by #817