mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-06-12 19:11:39 -07:00
Fix bot PR auto-merge and linpeas exclude matching
This commit is contained in:
Carlos Polop
@@ -24,7 +24,7 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
ref: ${{ github.head_ref || github.ref_name }}
|
||||
|
||||
- name: Download regexes
|
||||
run: |
|
||||
@@ -113,7 +113,7 @@ jobs:
|
||||
# Download repo
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
ref: ${{ github.head_ref || github.ref_name }}
|
||||
|
||||
# Setup go
|
||||
- uses: actions/setup-go@v6
|
||||
@@ -173,7 +173,7 @@ jobs:
|
||||
# Download repo
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
ref: ${{ github.head_ref || github.ref_name }}
|
||||
|
||||
# Build linpeas (macpeas)
|
||||
- name: Build macpeas
|
||||
|
||||
@@ -6,6 +6,82 @@ on:
|
||||
types: [completed]
|
||||
|
||||
jobs:
|
||||
auto_merge_windows_definition_bot_pr:
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
steps:
|
||||
- name: Resolve and verify bot PR
|
||||
id: bot_pr
|
||||
env:
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
|
||||
GH_REPO: ${{ github.repository }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
title="chore(winpeas): update windows version vulnerability definitions"
|
||||
branch="bot/update-windows-version-definitions"
|
||||
expected_file="build_lists/windows_version_exploits.json"
|
||||
|
||||
pr_number="${PR_NUMBER}"
|
||||
if [ -z "$pr_number" ] && [ -n "$HEAD_BRANCH" ]; then
|
||||
pr_number="$(gh pr list --state open --head "$HEAD_BRANCH" --base master --json number --jq '.[0].number')"
|
||||
fi
|
||||
if [ -z "$pr_number" ]; then
|
||||
echo "No pull request found for this workflow_run; skipping."
|
||||
echo "should_merge=false" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
pr_json="$(gh pr view "$pr_number" --json title,baseRefName,headRefName,author,isCrossRepository,files,mergeStateStatus)"
|
||||
pr_title="$(jq -r .title <<<"$pr_json")"
|
||||
base_ref="$(jq -r .baseRefName <<<"$pr_json")"
|
||||
head_ref="$(jq -r .headRefName <<<"$pr_json")"
|
||||
author="$(jq -r .author.login <<<"$pr_json")"
|
||||
is_cross_repository="$(jq -r .isCrossRepository <<<"$pr_json")"
|
||||
merge_state="$(jq -r .mergeStateStatus <<<"$pr_json")"
|
||||
files="$(jq -r '.files[].path' <<<"$pr_json")"
|
||||
file_count="$(jq -r '.files | length' <<<"$pr_json")"
|
||||
|
||||
if [ "$pr_title" != "$title" ] ||
|
||||
[ "$base_ref" != "master" ] ||
|
||||
[ "$head_ref" != "$branch" ] ||
|
||||
[ "$author" != "app/github-actions" ] ||
|
||||
[ "$is_cross_repository" != "false" ] ||
|
||||
[ "$file_count" != "1" ] ||
|
||||
[ "$files" != "$expected_file" ]; then
|
||||
echo "PR #$pr_number is not the trusted windows definitions bot PR; skipping."
|
||||
echo "should_merge=false" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$merge_state" != "CLEAN" ] && [ "$merge_state" != "HAS_HOOKS" ]; then
|
||||
echo "Refusing to merge PR #$pr_number because mergeStateStatus=$merge_state"
|
||||
echo "should_merge=false" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "should_merge=true" >> "$GITHUB_OUTPUT"
|
||||
echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
|
||||
echo "title=$title" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Merge trusted bot PR
|
||||
if: ${{ steps.bot_pr.outputs.should_merge == 'true' }}
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
PR_NUMBER: ${{ steps.bot_pr.outputs.pr_number }}
|
||||
COMMIT_TITLE: ${{ steps.bot_pr.outputs.title }}
|
||||
run: |
|
||||
gh api \
|
||||
-X PUT \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
"/repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge" \
|
||||
-f merge_method=squash \
|
||||
-f commit_title="$COMMIT_TITLE"
|
||||
|
||||
chack_agent_triage:
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
@@ -6,6 +6,7 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
actions: write
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
@@ -35,7 +36,7 @@ jobs:
|
||||
- name: Validate windows version definitions
|
||||
run: python3 build_lists/validate_windows_version_defs.py
|
||||
|
||||
- name: Create and merge validated update pull request
|
||||
- name: Create validated update pull request
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
@@ -67,30 +68,4 @@ jobs:
|
||||
--body "Automated update of \`build_lists/windows_version_exploits.json\`. The generated JSON passed \`build_lists/validate_windows_version_defs.py\` before this PR was updated."
|
||||
fi
|
||||
|
||||
pr_number="$(gh pr list --state open --head "$branch" --base master --json number --jq '.[0].number')"
|
||||
pr_json="$(gh pr view "$pr_number" --json title,baseRefName,headRefName,author,mergeable)"
|
||||
pr_title="$(jq -r .title <<<"$pr_json")"
|
||||
base_ref="$(jq -r .baseRefName <<<"$pr_json")"
|
||||
head_ref="$(jq -r .headRefName <<<"$pr_json")"
|
||||
author="$(jq -r .author.login <<<"$pr_json")"
|
||||
mergeable="$(jq -r .mergeable <<<"$pr_json")"
|
||||
|
||||
if [ "$pr_title" != "$title" ] || [ "$base_ref" != "master" ] || [ "$head_ref" != "$branch" ]; then
|
||||
echo "Refusing to merge unexpected PR #$pr_number: title=$pr_title base=$base_ref head=$head_ref"
|
||||
exit 1
|
||||
fi
|
||||
if [ "$author" != "app/github-actions" ] && [ "$author" != "github-actions" ] && [ "$author" != "github-actions[bot]" ]; then
|
||||
echo "Refusing to merge PR #$pr_number from unexpected author: $author"
|
||||
exit 1
|
||||
fi
|
||||
if [ "$mergeable" != "MERGEABLE" ]; then
|
||||
echo "Refusing to merge PR #$pr_number because mergeable=$mergeable"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
gh api \
|
||||
-X PUT \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
"/repos/${{ github.repository }}/pulls/${pr_number}/merge" \
|
||||
-f merge_method=squash \
|
||||
-f commit_title="$title"
|
||||
gh workflow run PR-tests.yml --ref "$branch"
|
||||
|
||||
@@ -302,6 +302,19 @@ class LinpeasBaseBuilder:
|
||||
def enumerate_directory(self, path):
|
||||
"""Given a directory get the paths to all the files inside it"""
|
||||
return sorted([os.path.join(path, f) for f in os.listdir(path) if os.path.isfile(os.path.join(path, f))])
|
||||
|
||||
def selector_matches(self, selector, *values):
|
||||
"""Return whether a CLI include/exclude selector matches any module metadata."""
|
||||
selector = selector.strip().lower()
|
||||
if not selector:
|
||||
return False
|
||||
selector_flat = selector.replace("_", "").replace("-", "").replace(" ", "")
|
||||
for value in values:
|
||||
value = str(value).lower()
|
||||
value_flat = value.replace("_", "").replace("-", "").replace(" ", "")
|
||||
if selector == value or selector in value or selector_flat in value_flat:
|
||||
return True
|
||||
return False
|
||||
|
||||
def get_modules(self, all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules) -> LinpeasModuleList:
|
||||
"""Get all the base, variable, function and specified modules to create the new linpeas"""
|
||||
@@ -321,7 +334,7 @@ class LinpeasBaseBuilder:
|
||||
for module in LINPEAS_PARTS["modules"]:
|
||||
exclude = False
|
||||
for ex_module in exclude_modules:
|
||||
if ex_module in module["folder_path"] or ex_module in [module["name"], module["name_check"]]:
|
||||
if self.selector_matches(ex_module, module["folder_path"], module["name"], module["name_check"]):
|
||||
exclude = True
|
||||
break
|
||||
if exclude: continue
|
||||
@@ -343,7 +356,7 @@ class LinpeasBaseBuilder:
|
||||
continue
|
||||
|
||||
# If explicitely excluded, skip
|
||||
if m.id in exclude_modules:
|
||||
if any(self.selector_matches(ex_module, m.path, m.id, m.title, m.section_info["name"], m.section_info["name_check"]) for ex_module in exclude_modules):
|
||||
continue
|
||||
if all_no_fat_modules and m.is_fat:
|
||||
continue
|
||||
@@ -354,11 +367,8 @@ class LinpeasBaseBuilder:
|
||||
if all_modules or all_no_fat_modules or m.id in include_modules:
|
||||
parsed_modules.append(m)
|
||||
for in_module in include_modules:
|
||||
if in_module.lower() in os.path.basename(m.path).lower() or in_module.lower() == m.id.lower() or in_module in [m.section_info["name"], m.section_info["name_check"]]:
|
||||
if self.selector_matches(in_module, m.path, os.path.basename(m.path), m.id, m.title, m.section_info["name"], m.section_info["name_check"]):
|
||||
parsed_modules.append(m)
|
||||
break
|
||||
|
||||
return parsed_modules
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -36,6 +36,23 @@ class LinpeasBuilderTests(unittest.TestCase):
|
||||
self.assertIn("Operative system", content)
|
||||
self.assertNotIn("Am I Containered?", content)
|
||||
|
||||
def test_exclude_matches_module_ids_case_insensitively(self):
|
||||
"""Regression: --exclude must match module IDs such as SY_Copy_Fail."""
|
||||
with tempfile.TemporaryDirectory() as tmpdir:
|
||||
output_path = Path(tmpdir) / "linpeas_exclude_copyfail.sh"
|
||||
self._run_builder(
|
||||
[
|
||||
"--include",
|
||||
"SY_Copy_Fail",
|
||||
"--exclude",
|
||||
"SY_Copy_Fail,checkCopyFail",
|
||||
],
|
||||
output_path,
|
||||
)
|
||||
content = output_path.read_text(encoding="utf-8", errors="ignore")
|
||||
self.assertNotIn("Checking for Copy Fail", content)
|
||||
self.assertNotIn("checkCopyFail", content)
|
||||
|
||||
def test_threads_flag_present_in_getopts(self):
|
||||
"""Regression: -z must appear in the getopts string so it is actually parsed."""
|
||||
with tempfile.TemporaryDirectory() as tmpdir:
|
||||
|
||||
Reference in New Issue
Block a user