Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| const hostname = ghUrl.hostname.trimEnd().toUpperCase() | ||
| const isGitHubHost = (hostname == 'GITHUB.COM') | ||
| const isProximaHost = (hostname.endsWith('GHE.COM') || hostname.endsWith('GHE.LOCALHOST')) |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization
updating alowed hosts in artifact ghes check using dot prepend ghe host
eggyhead
force-pushed
the
eggyhead/ghescheck-updatehosts
branch
from
1e316cc to
3b02a6f
Compare
yacaovsnc
approved these changes
Jan 31, 2024
This was referenced Jan 31, 2024
10 tasks
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Apr 29, 2026
##### [\`v7.0.1\`](https://github.com/actions/upload-artifact/releases/tag/v7.0.1) ##### What's Changed - Update the readme with direct upload details by [@danwkennedy](https://github.com/danwkennedy) in [#795](actions/upload-artifact#795) - Readme: bump all the example versions to v7 by [@danwkennedy](https://github.com/danwkennedy) in [#796](actions/upload-artifact#796) - Include changes in typespec/ts-http-runtime 0.3.5 by [@yacaovsnc](https://github.com/yacaovsnc) in [#797](actions/upload-artifact#797) **Full Changelog**: <actions/upload-artifact@v7...v7.0.1> --- ##### [\`v7.0.0\`](https://github.com/actions/upload-artifact/releases/tag/v7.0.0) #### v7 What's new ##### Direct Uploads Adds support for uploading single files directly (unzipped). Callers can set the new `archive` parameter to `false` to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The `name` parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file. ##### ESM To support new versions of the `@actions/*` packages, we've upgraded the package to ESM. #### What's Changed - Add proxy integration test by [@Link-](https://github.com/Link-) in [#754](actions/upload-artifact#754) - Upgrade the module to ESM and bump dependencies by [@danwkennedy](https://github.com/danwkennedy) in [#762](actions/upload-artifact#762) - Support direct file uploads by [@danwkennedy](https://github.com/danwkennedy) in [#764](actions/upload-artifact#764) #### New Contributors - [@Link-](https://github.com/Link-) made their first contribution in [#754](actions/upload-artifact#754) **Full Changelog**: <actions/upload-artifact@v6...v7.0.0> --- ##### [\`v7\`](actions/upload-artifact@v6...v7) --- ##### [\`v6\`](actions/upload-artifact@v5...v6) --- ##### [\`v6.0.0\`](actions/upload-artifact@v5.0.0...v6.0.0) --- ##### [\`v5\`](actions/upload-artifact@v4...v5) --- ##### [\`v5.0.0\`](actions/upload-artifact@v4.6.2...v5.0.0) --- ##### [\`v4.6.2\`](https://github.com/actions/upload-artifact/releases/tag/v4.6.2) #### What's Changed - Update to use artifact 2.3.2 package & prepare for new upload-artifact release by [@salmanmkc](https://github.com/salmanmkc) in [#685](actions/upload-artifact#685) #### New Contributors - [@salmanmkc](https://github.com/salmanmkc) made their first contribution in [#685](actions/upload-artifact#685) **Full Changelog**: <actions/upload-artifact@v4...v4.6.2> --- ##### [\`v4.6.1\`](https://github.com/actions/upload-artifact/releases/tag/v4.6.1) #### What's Changed - Update to use artifact 2.2.2 package by [@yacaovsnc](https://github.com/yacaovsnc) in [#673](actions/upload-artifact#673) **Full Changelog**: <actions/upload-artifact@v4...v4.6.1> --- ##### [\`v4.6.0\`](https://github.com/actions/upload-artifact/releases/tag/v4.6.0) #### What's Changed - Expose env vars to control concurrency and timeout by [@yacaovsnc](https://github.com/yacaovsnc) in [#662](actions/upload-artifact#662) **Full Changelog**: <actions/upload-artifact@v4...v4.6.0> --- ##### [\`v4.5.0\`](https://github.com/actions/upload-artifact/releases/tag/v4.5.0) #### What's Changed - fix: deprecated `Node.js` version in action by [@hamirmahal](https://github.com/hamirmahal) in [#578](actions/upload-artifact#578) - Add new `artifact-digest` output by [@bdehamer](https://github.com/bdehamer) in [#656](actions/upload-artifact#656) #### New Contributors - [@hamirmahal](https://github.com/hamirmahal) made their first contribution in [#578](actions/upload-artifact#578) - [@bdehamer](https://github.com/bdehamer) made their first contribution in [#656](actions/upload-artifact#656) **Full Changelog**: <actions/upload-artifact@v4.4.3...v4.5.0> --- ##### [\`v4.4.3\`](https://github.com/actions/upload-artifact/releases/tag/v4.4.3) #### What's Changed - Undo indirect dependency updates from [#627](actions/upload-artifact#627) by [@joshmgross](https://github.com/joshmgross) in [#632](actions/upload-artifact#632) **Full Changelog**: <actions/upload-artifact@v4.4.2...v4.4.3> --- ##### [\`v4.4.2\`](https://github.com/actions/upload-artifact/releases/tag/v4.4.2) #### What's Changed - Bump `@actions/artifact` to 2.1.11 by [@robherley](https://github.com/robherley) in [#627](actions/upload-artifact#627) - Includes fix for relative symlinks not resolving properly **Full Changelog**: <actions/upload-artifact@v4.4.1...v4.4.2> --- ##### [\`v4.4.1\`](https://github.com/actions/upload-artifact/releases/tag/v4.4.1) #### What's Changed - Add a section about hidden files by [@joshmgross](https://github.com/joshmgross) in [#607](actions/upload-artifact#607) - Add workflow file for publishing releases to immutable action package by [@Jcambass](https://github.com/Jcambass) in [#621](actions/upload-artifact#621) - Update [@actions/artifact](https://github.com/actions/artifact) to latest version, includes symlink and timeout fixes by [@robherley](https://github.com/robherley) in [#625](actions/upload-artifact#625) #### New Contributors - [@Jcambass](https://github.com/Jcambass) made their first contribution in [#621](actions/upload-artifact#621) **Full Changelog**: <actions/upload-artifact@v4.4.0...v4.4.1> --- ##### [\`v4.4.0\`](https://github.com/actions/upload-artifact/releases/tag/v4.4.0) #### Notice: Breaking Changes⚠️ We will no longer include hidden files and folders by default in the `upload-artifact` action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, `include-hidden-files`, to continue to do so. See ["Notice of upcoming deprecations and breaking changes in GitHub Actions runners"](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/) changelog and [this issue](actions/upload-artifact#602) for more details. #### What's Changed - Exclude hidden files by default by [@joshmgross](https://github.com/joshmgross) in [#598](actions/upload-artifact#598) **Full Changelog**: <actions/upload-artifact@v4.3.6...v4.4.0> --- ##### [\`v4.3.6\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.6) #### What's Changed - Revert to [@actions/artifact](https://github.com/actions/artifact) 2.1.8 by [@robherley](https://github.com/robherley) in [#594](actions/upload-artifact#594) **Full Changelog**: <actions/upload-artifact@v4...v4.3.6> --- ##### [\`v4.3.5\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.5) #### What's Changed - Bump [@actions/artifact](https://github.com/actions/artifact) to v2.1.9 by [@robherley](https://github.com/robherley) in [#588](actions/upload-artifact#588) - Fixed artifact upload chunk timeout logic [#1774](actions/toolkit#1774) - Use lazy stream to prevent issues with open file limits [#1771](actions/toolkit#1771) **Full Changelog**: <actions/upload-artifact@v4.3.4...v4.3.5> --- ##### [\`v4.3.4\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.4) #### What's Changed - Update [@actions/artifact](https://github.com/actions/artifact) version, bump dependencies by [@robherley](https://github.com/robherley) in [#584](actions/upload-artifact#584) **Full Changelog**: <actions/upload-artifact@v4.3.3...v4.3.4> --- ##### [\`v4.3.3\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.3) #### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@eggyhead](https://github.com/eggyhead) in [#565](actions/upload-artifact#565) **Full Changelog**: <actions/upload-artifact@v4.3.2...v4.3.3> --- ##### [\`v4.3.2\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.2) #### What's Changed - Update release-new-action-version.yml by [@konradpabjan](https://github.com/konradpabjan) in [#516](actions/upload-artifact#516) - Minor fix to the migration readme by [@andrewakim](https://github.com/andrewakim) in [#523](actions/upload-artifact#523) - Update readme with v3/v2/v1 deprecation notice by [@robherley](https://github.com/robherley) in [#561](actions/upload-artifact#561) - updating `@actions/artifact` dependency to v2.1.5 and `@actions/core` to v1.0.1 by [@eggyhead](https://github.com/eggyhead) in [#562](actions/upload-artifact#562) #### New Contributors - [@andrewakim](https://github.com/andrewakim) made their first contribution in [#523](actions/upload-artifact#523) **Full Changelog**: <actions/upload-artifact@v4.3.1...v4.3.2> --- ##### [\`v4.3.1\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.1) - Bump [@actions/artifacts](https://github.com/actions/artifacts) to latest version to include [updated GHES host check](actions/toolkit#1648) --- ##### [\`v4.3.0\`](https://github.com/actions/upload-artifact/releases/tag/v4.3.0) #### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@robherley](https://github.com/robherley) in [#504](actions/upload-artifact#504) - Add sub-action to merge artifacts by [@robherley](https://github.com/robherley) in [#505](actions/upload-artifact#505) **Full Changelog**: <actions/upload-artifact@v4...v4.3.0> --- ##### [\`v4.2.0\`](https://github.com/actions/upload-artifact/releases/tag/v4.2.0) #### What's Changed - Ability to overwrite an Artifact by [@robherley](https://github.com/robherley) in [#501](actions/upload-artifact#501) **Full Changelog**: <actions/upload-artifact@v4...v4.2.0> --- ##### [\`v4.1.0\`](https://github.com/actions/upload-artifact/releases/tag/v4.1.0) #### What's Changed - Add migrations docs by [@robherley](https://github.com/robherley) in [#482](actions/upload-artifact#482) - Update README.md by [@samuelwine](https://github.com/samuelwine) in [#492](actions/upload-artifact#492) - Support artifact-url output by [@konradpabjan](https://github.com/konradpabjan) in [#496](actions/upload-artifact#496) - Update readme to reflect new 500 artifact per job limit by [@robherley](https://github.com/robherley) in [#497](actions/upload-artifact#497) #### New Contributors - [@samuelwine](https://github.com/samuelwine) made their first contribution in [#492](actions/upload-artifact#492) **Full Changelog**: <actions/upload-artifact@v4...v4.1.0>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are we doing?
Currently, we are only checking equality against
github.comto ensure artifact and cache actions are being run in a non-enterprise host. We need to update this check to allow requests fromghe.comandghe.localhost, additional allowed hostnames for production and local development.Fixes https://github.com/github/actions-results-team/issues/2208
How are we doing it?
isGhesHow do I test?