Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: ensure no self-hosted runners for generic generators #3298

Draft
wants to merge 62 commits into
base: main
Choose a base branch
from

Conversation

ramonpetgrave64
Copy link
Collaborator

@ramonpetgrave64 ramonpetgrave64 commented Feb 28, 2024

Update

We're putting this PR on hold until we can get an answer in

Summary

Fixes #1868

Fails the generator workflows when they detect that other jobs in the calling workflow are targeting self-hosted runners.

A new function first fetches a list of all jobs in the calling workflow, examines their specified target runs-on labels, and then compares against any known self-hosted runners' labels.

We do this extra comparison because a user need not specify the target runs-on label "self-hosted" in order to actually run on their self-hosted runners: If they have a runner with a custom labels "cloudtop" or even "ubuntu-latest", they need only specify runs-on: "cloudtop" or rune-on: "ubuntu-latest" to make their job run on their self-hosted runner.

Caveats

Personal Access Token

The call to check the list of self-hosted runners requires a Personal Access Token with administration:read permissions. This is a breaking change, and will also require updates to many of our e2e tests bth in this repo and example-package.

Defeatable

A repo owner with bad intentions could still get past this check: after the actual artifact build and before our checks, they can edit the properties of their self-hosted runner to remove the label in question.

Testing Process

  • Added unit tests for a new ensureOnlyGithubHostedRunners() in detect.ts.
  • Added more unit tests to main.ts, wich calls ensureOnlyGithubHostedRunners()
  • Added another workflow pre-submit.actions-for-pr.yml that does a checkout on the PR's copy of of the code before doing a test on each of the github actions.
  • TODO: add e2e tests to slsa-framework/example-package
  • OR
  • TODO: add a pre-submit test to this workflow that attempts to run a job on a self-hosted runner (after we make one) and checks the (needs.detect-env.outputs.outcome).

Forked slsa-github-generator and ran the generator within my won custom workflow that specifies various combinations of self-hosted anad non self-hosted runner labels.

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@ramonpetgrave64 ramonpetgrave64 changed the title fixe: ensure no self-hosted runners for generic generators fix: ensure no self-hosted runners for generic generators Feb 28, 2024
ramonpetgrave64 and others added 28 commits February 28, 2024 19:49
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Adds a PR template as default PR description:

Hopefully this can also remind us to to keep docs up-to-date, as well,
like in slsa-framework#3263

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Co-authored-by: Ian Lewis <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
@laurentsimon
Copy link
Collaborator

laurentsimon commented Mar 4, 2024

We do this extra comparison because a user need not specify the target runs-on label "self-hosted" in order to actually run on their self-hosted runners: If they have a runner with a custom labels "cloudtop" or even "ubuntu-latest", they need only specify runs-on: "cloudtop" or rune-on: "ubuntu-latest" to make their job run on their self-hosted runner.

Does this contradict #1868 (comment)? Shall we create an issue on https://github.com/actions/runner to ask to update the doc?

Copy link
Collaborator

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. Can we create a dedicated action for the detection of self-hosted runners? It will make the code more re-usable when we need it.

@@ -42,6 +42,9 @@ on:
description: "Username when publishing to provenance repository (option 'provenance-repository') instead of image repository."
provenance-registry-password:
description: "Password when publishing to provenance repository instead of image repository."
token:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the token is available without the need to pass it explicitly, so I don't think we need this option?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will be a different personal access token

@@ -129,6 +133,8 @@ jobs:
id: detect
continue-on-error: true
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
with:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment about the token being available

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will be a different personal access token

repoName: string,
token: string,
): Promise<void> {
const [owner, repo] = repoName.split("/");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you know what permissions are needed to read this API? Does it require admin permissions?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it needs a user-generated token with actions: read and administration:read against the repo. In the new action I'll write up the docs for it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried about this requirement admin:read. This is a hard ask. @ianlewis @kpk47 @pnacht @haydentherapper wdut?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would give me pause if I saw I needed to generate an admin PAT. Which of these APIs needs this permission?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

admin: read and actions: read, but the user can limit their token's permissions to a single repo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which of these APIs needs this permission?

octokit.rest.actions.listSelfHostedRunnersForRepo at least needs it.

But I agree, requiring this permission can be a hard sell...


Question: can't this permission be replaced by having a list of known GitHub runner images?

Then, if runs-on contains only elements in that list, it's assumed to be a GitHub image.

I don't know if a self-hosted image with label ubuntu-latest will ever be chosen... But even if so, I assume it's highly unreliable (you never know if your runner will be chosen before the GH runner), unless GH gives preference to self-hosted runners whenever possible.

This can either be hardcoded into the generator (therefore requiring updates whenever GitHub releases a new image) or be dynamically parsed from the README (fragile!). I unfortunately couldn't find a REST API endpoint or something of the sort we can query to get all the images.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's right. Github doesn't publish a full list, and if I assign my runner with the label "ubuntu-latest" or "macos-14-large", then my job can still run on my self-hosted runner. There's nothing stopping me from assigning my runner with the labels that github already uses.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@steiza Any guidance how we can figure out whether a run uses self-hosted runner vs GitHub-hosted runners, and without admin permissions - #1868?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
<!-- toc -->

- [Unreleased](#unreleased)
- [Unreleased: Generic Generator](#unreleased-generic-generator)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you group breaking changes (only this one for now) under their own section? also, can you add a "upgrade" information to tell users how they can migrate to the new (major) version? Thanks

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

@ramonpetgrave64
Copy link
Collaborator Author

LGTM overall. Can we create a dedicated action for the detection of self-hosted runners? It will make the code more re-usable when we need it.

I think you're right. And it should be easier to write a e2e test for that way

Signed-off-by: Ramon Petgrave <[email protected]>
@laurentsimon
Copy link
Collaborator

We do this extra comparison because a user need not specify the target runs-on label "self-hosted" in order to actually run on their self-hosted runners: If they have a runner with a custom labels "cloudtop" or even "ubuntu-latest", they need only specify runs-on: "cloudtop" or rune-on: "ubuntu-latest" to make their job run on their self-hosted runner.

Does this contradict #1868 (comment)? Shall we create an issue on https://github.com/actions/runner to ask to update the doc?

Please cc me on the issue you create on their repo

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
@@ -0,0 +1 @@
(()=>{var e={650:e=>{var r=Object.prototype.toString;var n=typeof Buffer.alloc==="function"&&typeof Buffer.allocUnsafe==="function"&&typeof Buffer.from==="function";function isArrayBuffer(e){return r.call(e).slice(8,-1)==="ArrayBuffer"}function fromArrayBuffer(e,r,t){r>>>=0;var o=e.byteLength-r;if(o<0){throw new RangeError("'offset' is out of bounds")}if(t===undefined){t=o}else{t>>>=0;if(t>o){throw new RangeError("'length' is out of bounds")}}return n?Buffer.from(e.slice(r,r+t)):new Buffer(new Uint8Array(e.slice(r,r+t)))}function fromString(e,r){if(typeof r!=="string"||r===""){r="utf8"}if(!Buffer.isEncoding(r)){throw new TypeError('"encoding" must be a valid string encoding')}return n?Buffer.from(e,r):new Buffer(e,r)}function bufferFrom(e,r,t){if(typeof e==="number"){throw new TypeError('"value" argument must not be a number')}if(isArrayBuffer(e)){return fromArrayBuffer(e,r,t)}if(typeof e==="string"){return fromString(e,r)}return n?Buffer.from(e):new Buffer(e)}e.exports=bufferFrom},274:(e,r,n)=>{var t=n(339);var o=Object.prototype.hasOwnProperty;var i=typeof Map!=="undefined";function ArraySet(){this._array=[];this._set=i?new Map:Object.create(null)}ArraySet.fromArray=function ArraySet_fromArray(e,r){var n=new ArraySet;for(var t=0,o=e.length;t<o;t++){n.add(e[t],r)}return n};ArraySet.prototype.size=function ArraySet_size(){return i?this._set.size:Object.getOwnPropertyNames(this._set).length};ArraySet.prototype.add=function ArraySet_add(e,r){var n=i?e:t.toSetString(e);var a=i?this.has(e):o.call(this._set,n);var u=this._array.length;if(!a||r){this._array.push(e)}if(!a){if(i){this._set.set(e,u)}else{this._set[n]=u}}};ArraySet.prototype.has=function ArraySet_has(e){if(i){return this._set.has(e)}else{var r=t.toSetString(e);return o.call(this._set,r)}};ArraySet.prototype.indexOf=function ArraySet_indexOf(e){if(i){var r=this._set.get(e);if(r>=0){return r}}else{var n=t.toSetString(e);if(o.call(this._set,n)){return this._set[n]}}throw new Error('"'+e+'" is not in the set.')};ArraySet.prototype.at=function ArraySet_at(e){if(e>=0&&e<this._array.length){return this._array[e]}throw new Error("No element indexed by "+e)};ArraySet.prototype.toArray=function ArraySet_toArray(){return this._array.slice()};r.I=ArraySet},449:(e,r,n)=>{var t=n(190);var o=5;var i=1<<o;var a=i-1;var u=i;function toVLQSigned(e){return e<0?(-e<<1)+1:(e<<1)+0}function fromVLQSigned(e){var r=(e&1)===1;var n=e>>1;return r?-n:n}r.encode=function base64VLQ_encode(e){var r="";var n;var i=toVLQSigned(e);do{n=i&a;i>>>=o;if(i>0){n|=u}r+=t.encode(n)}while(i>0);return r};r.decode=function base64VLQ_decode(e,r,n){var i=e.length;var s=0;var l=0;var c,p;do{if(r>=i){throw new Error("Expected more digits in base 64 VLQ value.")}p=t.decode(e.charCodeAt(r++));if(p===-1){throw new Error("Invalid base64 digit: "+e.charAt(r-1))}c=!!(p&u);p&=a;s=s+(p<<l);l+=o}while(c);n.value=fromVLQSigned(s);n.rest=r}},190:(e,r)=>{var n="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".split("");r.encode=function(e){if(0<=e&&e<n.length){return n[e]}throw new TypeError("Must be between 0 and 63: "+e)};r.decode=function(e){var r=65;var n=90;var t=97;var o=122;var i=48;var a=57;var u=43;var s=47;var l=26;var c=52;if(r<=e&&e<=n){return e-r}if(t<=e&&e<=o){return e-t+l}if(i<=e&&e<=a){return e-i+c}if(e==u){return 62}if(e==s){return 63}return-1}},345:(e,r)=>{r.GREATEST_LOWER_BOUND=1;r.LEAST_UPPER_BOUND=2;function recursiveSearch(e,n,t,o,i,a){var u=Math.floor((n-e)/2)+e;var s=i(t,o[u],true);if(s===0){return u}else if(s>0){if(n-u>1){return recursiveSearch(u,n,t,o,i,a)}if(a==r.LEAST_UPPER_BOUND){return n<o.length?n:-1}else{return u}}else{if(u-e>1){return recursiveSearch(e,u,t,o,i,a)}if(a==r.LEAST_UPPER_BOUND){return u}else{return e<0?-1:e}}}r.search=function search(e,n,t,o){if(n.length===0){return-1}var i=recursiveSearch(-1,n.length,e,n,t,o||r.GREATEST_LOWER_BOUND);if(i<0){return-1}while(i-1>=0){if(t(n[i],n[i-1],true)!==0){break}--i}return i}},680:(e,r,n)=>{var t=n(339);function generatedPositionAfter(e,r){var n=e.generatedLine;var o=r.generatedLine;var i=e.generatedColumn;var a=r.generatedColumn;return o>n||o==n&&a>=i||t.compareByGeneratedPositionsInflated(e,r)<=0}function MappingList(){this._array=[];this._sorted=true;this._last={generatedLine:-1,generatedColumn:0}}MappingList.prototype.unsortedForEach=function MappingList_forEach(e,r){this._array.forEach(e,r)};MappingList.prototype.add=function MappingList_add(e){if(generatedPositionAfter(this._last,e)){this._last=e;this._array.push(e)}else{this._sorted=false;this._array.push(e)}};MappingList.prototype.toArray=function MappingList_toArray(){if(!this._sorted){this._array.sort(t.compareByGeneratedPositionsInflated);this._sorted=true}return this._array};r.H=MappingList},758:(e,r)=>{function swap(e,r,n){var t=e[r];e[r]=e[n];e[n]=t}function randomIntInRange(e,r){return Math.round(e+Math.random()*(r-e))}function doQuickSort(e,r,n,t){if(n<t){var o=randomIntInRange(n,t);var i=n-1;swap(e,o,t);var a=e[t];for(var u=n;u<t;u++){if(r(e[u],a)<=0){i+=1;swap(e,i,u)}}swap(e,i+1,u);var s=i+1;doQuickSort(e,r,n,s-1);doQuickSort(e,r,s+1,t)}}r.U=function(e,r){doQuickSort(e,r,0,e.length-1)}},952:(e,r,n)=>{var t;var o=n(339);var i=n(345);var a=n(274).I;var u=n(449);var s=n(758).U;function SourceMapConsumer(e,r){var n=e;if(typeof e==="string"){n=o.parseSourceMapInput(e)}return n.sections!=null?new IndexedSourceMapConsumer(n,r):new BasicSourceMapConsumer(n,r)}SourceMapConsumer.fromSourceMap=function(e,r){return BasicSourceMapConsumer.fromSourceMap(e,r)};SourceMapConsumer.prototype._version=3;SourceMapConsumer.prototype.__generatedMappings=null;Object.defineProperty(SourceMapConsumer.prototype,"_generatedMappings",{configurable:true,enumerable:true,get:function(){if(!this.__generatedMappings){this._parseMappings(this._mappings,this.sourceRoot)}return this.__generatedMappings}});SourceMapConsumer.prototype.__originalMappings=null;Object.defineProperty(SourceMapConsumer.prototype,"_originalMappings",{configurable:true,enumerable:true,get:function(){if(!this.__originalMappings){this._parseMappings(this._mappings,this.sourceRoot)}return this.__originalMappings}});SourceMapConsumer.prototype._charIsMappingSeparator=function SourceMapConsumer_charIsMappingSeparator(e,r){var n=e.charAt(r);return n===";"||n===","};SourceMapConsumer.prototype._parseMappings=function SourceMapConsumer_parseMappings(e,r){throw new Error("Subclasses must implement _parseMappings")};SourceMapConsumer.GENERATED_ORDER=1;SourceMapConsumer.ORIGINAL_ORDER=2;SourceMapConsumer.GREATEST_LOWER_BOUND=1;SourceMapConsumer.LEAST_UPPER_BOUND=2;SourceMapConsumer.prototype.eachMapping=function SourceMapConsumer_eachMapping(e,r,n){var t=r||null;var i=n||SourceMapConsumer.GENERATED_ORDER;var a;switch(i){case SourceMapConsumer.GENERATED_ORDER:a=this._generatedMappings;break;case SourceMapConsumer.ORIGINAL_ORDER:a=this._originalMappings;break;default:throw new Error("Unknown order of iteration.")}var u=this.sourceRoot;a.map((function(e){var r=e.source===null?null:this._sources.at(e.source);r=o.computeSourceURL(u,r,this._sourceMapURL);return{source:r,generatedLine:e.generatedLine,generatedColumn:e.generatedColumn,originalLine:e.originalLine,originalColumn:e.originalColumn,name:e.name===null?null:this._names.at(e.name)}}),this).forEach(e,t)};SourceMapConsumer.prototype.allGeneratedPositionsFor=function SourceMapConsumer_allGeneratedPositionsFor(e){var r=o.getArg(e,"line");var n={source:o.getArg(e,"source"),originalLine:r,originalColumn:o.getArg(e,"column",0)};n.source=this._findSourceIndex(n.source);if(n.source<0){return[]}var t=[];var a=this._findMapping(n,this._originalMappings,"originalLine","originalColumn",o.compareByOriginalPositions,i.LEAST_UPPER_BOUND);if(a>=0){var u=this._originalMappings[a];if(e.column===undefined){var s=u.originalLine;while(u&&u.originalLine===s){t.push({line:o.getArg(u,"generatedLine",null),column:o.getArg(u,"generatedColumn",null),lastColumn:o.getArg(u,"lastGeneratedColumn",null)});u=this._originalMappings[++a]}}else{var l=u.originalColumn;while(u&&u.originalLine===r&&u.originalColumn==l){t.push({line:o.getArg(u,"generatedLine",null),column:o.getArg(u,"generatedColumn",null),lastColumn:o.getArg(u,"lastGeneratedColumn",null)});u=this._originalMappings[++a]}}}return t};r.SourceMapConsumer=SourceMapConsumer;function BasicSourceMapConsumer(e,r){var n=e;if(typeof e==="string"){n=o.parseSourceMapInput(e)}var t=o.getArg(n,"version");var i=o.getArg(n,"sources");var u=o.getArg(n,"names",[]);var s=o.getArg(n,"sourceRoot",null);var l=o.getArg(n,"sourcesContent",null);var c=o.getArg(n,"mappings");var p=o.getArg(n,"file",null);if(t!=this._version){throw new Error("Unsupported version: "+t)}if(s){s=o.normalize(s)}i=i.map(String).map(o.normalize).map((function(e){return s&&o.isAbsolute(s)&&o.isAbsolute(e)?o.relative(s,e):e}));this._names=a.fromArray(u.map(String),true);this._sources=a.fromArray(i,true);this._absoluteSources=this._sources.toArray().map((function(e){return o.computeSourceURL(s,e,r)}));this.sourceRoot=s;this.sourcesContent=l;this._mappings=c;this._sourceMapURL=r;this.file=p}BasicSourceMapConsumer.prototype=Object.create(SourceMapConsumer.prototype);BasicSourceMapConsumer.prototype.consumer=SourceMapConsumer;BasicSourceMapConsumer.prototype._findSourceIndex=function(e){var r=e;if(this.sourceRoot!=null){r=o.relative(this.sourceRoot,r)}if(this._sources.has(r)){return this._sources.indexOf(r)}var n;for(n=0;n<this._absoluteSources.length;++n){if(this._absoluteSources[n]==e){return n}}return-1};BasicSourceMapConsumer.fromSourceMap=function SourceMapConsumer_fromSourceMap(e,r){var n=Object.create(BasicSourceMapConsumer.prototype);var t=n._names=a.fromArray(e._names.toArray(),true);var i=n._sources=a.fromArray(e._sources.toArray(),true);n.sourceRoot=e._sourceRoot;n.sourcesContent=e._generateSourcesContent(n._sources.toArray(),n.sourceRoot);n.file=e._file;n._sourceMapURL=r;n._absoluteSources=n._sources.toArray().map((function(e){return o.computeSourceURL(n.sourceRoot,e,r)}));var u=e._mappings.toArray().slice();var l=n.__generatedMappings=[];var c=n.__originalMappings=[];for(var p=0,f=u.length;p<f;p++){var g=u[p];var h=new Mapping;h.generatedLine=g.generatedLine;h.generatedColumn=g.generatedColumn;if(g.source){h.source=i.indexOf(g.source);h.originalLine=g.originalLine;h.originalColumn=g.originalColumn;if(g.name){h.name=t.indexOf(g.name)}c.push(h)}l.push(h)}s(n.__originalMappings,o.compareByOriginalPositions);return n};BasicSourceMapConsumer.prototype._version=3;Object.defineProperty(BasicSourceMapConsumer.prototype,"sources",{get:function(){return this._absoluteSources.slice()}});function Mapping(){this.generatedLine=0;this.generatedColumn=0;this.source=null;this.originalLine=null;this.originalColumn=null;this.name=null}BasicSourceMapConsumer.prototype._parseMappings=function SourceMapConsumer_parseMappings(e,r){var n=1;var t=0;var i=0;var a=0;var l=0;var c=0;var p=e.length;var f=0;var g={};var h={};var d=[];var m=[];var v,S,_,C,y;while(f<p){if(e.charAt(f)===";"){n++;f++;t=0}else if(e.charAt(f)===","){f++}else{v=new Mapping;v.generatedLine=n;for(C=f;C<p;C++){if(this._charIsMappingSeparator(e,C)){break}}S=e.slice(f,C);_=g[S];if(_){f+=S.length}else{_=[];while(f<C){u.decode(e,f,h);y=h.value;f=h.rest;_.push(y)}if(_.length===2){throw new Error("Found a source, but no line and column")}if(_.length===3){throw new Error("Found a source and line, but no column")}g[S]=_}v.generatedColumn=t+_[0];t=v.generatedColumn;if(_.length>1){v.source=l+_[1];l+=_[1];v.originalLine=i+_[2];i=v.originalLine;v.originalLine+=1;v.originalColumn=a+_[3];a=v.originalColumn;if(_.length>4){v.name=c+_[4];c+=_[4]}}m.push(v);if(typeof v.originalLine==="number"){d.push(v)}}}s(m,o.compareByGeneratedPositionsDeflated);this.__generatedMappings=m;s(d,o.compareByOriginalPositions);this.__originalMappings=d};BasicSourceMapConsumer.prototype._findMapping=function SourceMapConsumer_findMapping(e,r,n,t,o,a){if(e[n]<=0){throw new TypeError("Line must be greater than or equal to 1, got "+e[n])}if(e[t]<0){throw new TypeError("Column must be greater than or equal to 0, got "+e[t])}return i.search(e,r,o,a)};BasicSourceMapConsumer.prototype.computeColumnSpans=function SourceMapConsumer_computeColumnSpans(){for(var e=0;e<this._generatedMappings.length;++e){var r=this._generatedMappings[e];if(e+1<this._generatedMappings.length){var n=this._generatedMappings[e+1];if(r.generatedLine===n.generatedLine){r.lastGeneratedColumn=n.generatedColumn-1;continue}}r.lastGeneratedColumn=Infinity}};BasicSourceMapConsumer.prototype.originalPositionFor=function SourceMapConsumer_originalPositionFor(e){var r={generatedLine:o.getArg(e,"line"),generatedColumn:o.getArg(e,"column")};var n=this._findMapping(r,this._generatedMappings,"generatedLine","generatedColumn",o.compareByGeneratedPositionsDeflated,o.getArg(e,"bias",SourceMapConsumer.GREATEST_LOWER_BOUND));if(n>=0){var t=this._generatedMappings[n];if(t.generatedLine===r.generatedLine){var i=o.getArg(t,"source",null);if(i!==null){i=this._sources.at(i);i=o.computeSourceURL(this.sourceRoot,i,this._sourceMapURL)}var a=o.getArg(t,"name",null);if(a!==null){a=this._names.at(a)}return{source:i,line:o.getArg(t,"originalLine",null),column:o.getArg(t,"originalColumn",null),name:a}}}return{source:null,line:null,column:null,name:null}};BasicSourceMapConsumer.prototype.hasContentsOfAllSources=function BasicSourceMapConsumer_hasContentsOfAllSources(){if(!this.sourcesContent){return false}return this.sourcesContent.length>=this._sources.size()&&!this.sourcesContent.some((function(e){return e==null}))};BasicSourceMapConsumer.prototype.sourceContentFor=function SourceMapConsumer_sourceContentFor(e,r){if(!this.sourcesContent){return null}var n=this._findSourceIndex(e);if(n>=0){return this.sourcesContent[n]}var t=e;if(this.sourceRoot!=null){t=o.relative(this.sourceRoot,t)}var i;if(this.sourceRoot!=null&&(i=o.urlParse(this.sourceRoot))){var a=t.replace(/^file:\/\//,"");if(i.scheme=="file"&&this._sources.has(a)){return this.sourcesContent[this._sources.indexOf(a)]}if((!i.path||i.path=="/")&&this._sources.has("/"+t)){return this.sourcesContent[this._sources.indexOf("/"+t)]}}if(r){return null}else{throw new Error('"'+t+'" is not in the SourceMap.')}};BasicSourceMapConsumer.prototype.generatedPositionFor=function SourceMapConsumer_generatedPositionFor(e){var r=o.getArg(e,"source");r=this._findSourceIndex(r);if(r<0){return{line:null,column:null,lastColumn:null}}var n={source:r,originalLine:o.getArg(e,"line"),originalColumn:o.getArg(e,"column")};var t=this._findMapping(n,this._originalMappings,"originalLine","originalColumn",o.compareByOriginalPositions,o.getArg(e,"bias",SourceMapConsumer.GREATEST_LOWER_BOUND));if(t>=0){var i=this._originalMappings[t];if(i.source===n.source){return{line:o.getArg(i,"generatedLine",null),column:o.getArg(i,"generatedColumn",null),lastColumn:o.getArg(i,"lastGeneratedColumn",null)}}}return{line:null,column:null,lastColumn:null}};t=BasicSourceMapConsumer;function IndexedSourceMapConsumer(e,r){var n=e;if(typeof e==="string"){n=o.parseSourceMapInput(e)}var t=o.getArg(n,"version");var i=o.getArg(n,"sections");if(t!=this._version){throw new Error("Unsupported version: "+t)}this._sources=new a;this._names=new a;var u={line:-1,column:0};this._sections=i.map((function(e){if(e.url){throw new Error("Support for url field in sections not implemented.")}var n=o.getArg(e,"offset");var t=o.getArg(n,"line");var i=o.getArg(n,"column");if(t<u.line||t===u.line&&i<u.column){throw new Error("Section offsets must be ordered and non-overlapping.")}u=n;return{generatedOffset:{generatedLine:t+1,generatedColumn:i+1},consumer:new SourceMapConsumer(o.getArg(e,"map"),r)}}))}IndexedSourceMapConsumer.prototype=Object.create(SourceMapConsumer.prototype);IndexedSourceMapConsumer.prototype.constructor=SourceMapConsumer;IndexedSourceMapConsumer.prototype._version=3;Object.defineProperty(IndexedSourceMapConsumer.prototype,"sources",{get:function(){var e=[];for(var r=0;r<this._sections.length;r++){for(var n=0;n<this._sections[r].consumer.sources.length;n++){e.push(this._sections[r].consumer.sources[n])}}return e}});IndexedSourceMapConsumer.prototype.originalPositionFor=function IndexedSourceMapConsumer_originalPositionFor(e){var r={generatedLine:o.getArg(e,"line"),generatedColumn:o.getArg(e,"column")};var n=i.search(r,this._sections,(function(e,r){var n=e.generatedLine-r.generatedOffset.generatedLine;if(n){return n}return e.generatedColumn-r.generatedOffset.generatedColumn}));var t=this._sections[n];if(!t){return{source:null,line:null,column:null,name:null}}return t.consumer.originalPositionFor({line:r.generatedLine-(t.generatedOffset.generatedLine-1),column:r.generatedColumn-(t.generatedOffset.generatedLine===r.generatedLine?t.generatedOffset.generatedColumn-1:0),bias:e.bias})};IndexedSourceMapConsumer.prototype.hasContentsOfAllSources=function IndexedSourceMapConsumer_hasContentsOfAllSources(){return this._sections.every((function(e){return e.consumer.hasContentsOfAllSources()}))};IndexedSourceMapConsumer.prototype.sourceContentFor=function IndexedSourceMapConsumer_sourceContentFor(e,r){for(var n=0;n<this._sections.length;n++){var t=this._sections[n];var o=t.consumer.sourceContentFor(e,true);if(o){return o}}if(r){return null}else{throw new Error('"'+e+'" is not in the SourceMap.')}};IndexedSourceMapConsumer.prototype.generatedPositionFor=function IndexedSourceMapConsumer_generatedPositionFor(e){for(var r=0;r<this._sections.length;r++){var n=this._sections[r];if(n.consumer._findSourceIndex(o.getArg(e,"source"))===-1){continue}var t=n.consumer.generatedPositionFor(e);if(t){var i={line:t.line+(n.generatedOffset.generatedLine-1),column:t.column+(n.generatedOffset.generatedLine===t.line?n.generatedOffset.generatedColumn-1:0)};return i}}return{line:null,column:null}};IndexedSourceMapConsumer.prototype._parseMappings=function IndexedSourceMapConsumer_parseMappings(e,r){this.__generatedMappings=[];this.__originalMappings=[];for(var n=0;n<this._sections.length;n++){var t=this._sections[n];var i=t.consumer._generatedMappings;for(var a=0;a<i.length;a++){var u=i[a];var l=t.consumer._sources.at(u.source);l=o.computeSourceURL(t.consumer.sourceRoot,l,this._sourceMapURL);this._sources.add(l);l=this._sources.indexOf(l);var c=null;if(u.name){c=t.consumer._names.at(u.name);this._names.add(c);c=this._names.indexOf(c)}var p={source:l,generatedLine:u.generatedLine+(t.generatedOffset.generatedLine-1),generatedColumn:u.generatedColumn+(t.generatedOffset.generatedLine===u.generatedLine?t.generatedOffset.generatedColumn-1:0),originalLine:u.originalLine,originalColumn:u.originalColumn,name:c};this.__generatedMappings.push(p);if(typeof p.originalLine==="number"){this.__originalMappings.push(p)}}}s(this.__generatedMappings,o.compareByGeneratedPositionsDeflated);s(this.__originalMappings,o.compareByOriginalPositions)};t=IndexedSourceMapConsumer},591:(e,r,n)=>{var t=n(449);var o=n(339);var i=n(274).I;var a=n(680).H;function SourceMapGenerator(e){if(!e){e={}}this._file=o.getArg(e,"file",null);this._sourceRoot=o.getArg(e,"sourceRoot",null);this._skipValidation=o.getArg(e,"skipValidation",false);this._sources=new i;this._names=new i;this._mappings=new a;this._sourcesContents=null}SourceMapGenerator.prototype._version=3;SourceMapGenerator.fromSourceMap=function SourceMapGenerator_fromSourceMap(e){var r=e.sourceRoot;var n=new SourceMapGenerator({file:e.file,sourceRoot:r});e.eachMapping((function(e){var t={generated:{line:e.generatedLine,column:e.generatedColumn}};if(e.source!=null){t.source=e.source;if(r!=null){t.source=o.relative(r,t.source)}t.original={line:e.originalLine,column:e.originalColumn};if(e.name!=null){t.name=e.name}}n.addMapping(t)}));e.sources.forEach((function(t){var i=t;if(r!==null){i=o.relative(r,t)}if(!n._sources.has(i)){n._sources.add(i)}var a=e.sourceContentFor(t);if(a!=null){n.setSourceContent(t,a)}}));return n};SourceMapGenerator.prototype.addMapping=function SourceMapGenerator_addMapping(e){var r=o.getArg(e,"generated");var n=o.getArg(e,"original",null);var t=o.getArg(e,"source",null);var i=o.getArg(e,"name",null);if(!this._skipValidation){this._validateMapping(r,n,t,i)}if(t!=null){t=String(t);if(!this._sources.has(t)){this._sources.add(t)}}if(i!=null){i=String(i);if(!this._names.has(i)){this._names.add(i)}}this._mappings.add({generatedLine:r.line,generatedColumn:r.column,originalLine:n!=null&&n.line,originalColumn:n!=null&&n.column,source:t,name:i})};SourceMapGenerator.prototype.setSourceContent=function SourceMapGenerator_setSourceContent(e,r){var n=e;if(this._sourceRoot!=null){n=o.relative(this._sourceRoot,n)}if(r!=null){if(!this._sourcesContents){this._sourcesContents=Object.create(null)}this._sourcesContents[o.toSetString(n)]=r}else if(this._sourcesContents){delete this._sourcesContents[o.toSetString(n)];if(Object.keys(this._sourcesContents).length===0){this._sourcesContents=null}}};SourceMapGenerator.prototype.applySourceMap=function SourceMapGenerator_applySourceMap(e,r,n){var t=r;if(r==null){if(e.file==null){throw new Error("SourceMapGenerator.prototype.applySourceMap requires either an explicit source file, "+'or the source map\'s "file" property. Both were omitted.')}t=e.file}var a=this._sourceRoot;if(a!=null){t=o.relative(a,t)}var u=new i;var s=new i;this._mappings.unsortedForEach((function(r){if(r.source===t&&r.originalLine!=null){var i=e.originalPositionFor({line:r.originalLine,column:r.originalColumn});if(i.source!=null){r.source=i.source;if(n!=null){r.source=o.join(n,r.source)}if(a!=null){r.source=o.relative(a,r.source)}r.originalLine=i.line;r.originalColumn=i.column;if(i.name!=null){r.name=i.name}}}var l=r.source;if(l!=null&&!u.has(l)){u.add(l)}var c=r.name;if(c!=null&&!s.has(c)){s.add(c)}}),this);this._sources=u;this._names=s;e.sources.forEach((function(r){var t=e.sourceContentFor(r);if(t!=null){if(n!=null){r=o.join(n,r)}if(a!=null){r=o.relative(a,r)}this.setSourceContent(r,t)}}),this)};SourceMapGenerator.prototype._validateMapping=function SourceMapGenerator_validateMapping(e,r,n,t){if(r&&typeof r.line!=="number"&&typeof r.column!=="number"){throw new Error("original.line and original.column are not numbers -- you probably meant to omit "+"the original mapping entirely and only map the generated position. If so, pass "+"null for the original mapping instead of an object with empty or null values.")}if(e&&"line"in e&&"column"in e&&e.line>0&&e.column>=0&&!r&&!n&&!t){return}else if(e&&"line"in e&&"column"in e&&r&&"line"in r&&"column"in r&&e.line>0&&e.column>=0&&r.line>0&&r.column>=0&&n){return}else{throw new Error("Invalid mapping: "+JSON.stringify({generated:e,source:n,original:r,name:t}))}};SourceMapGenerator.prototype._serializeMappings=function SourceMapGenerator_serializeMappings(){var e=0;var r=1;var n=0;var i=0;var a=0;var u=0;var s="";var l;var c;var p;var f;var g=this._mappings.toArray();for(var h=0,d=g.length;h<d;h++){c=g[h];l="";if(c.generatedLine!==r){e=0;while(c.generatedLine!==r){l+=";";r++}}else{if(h>0){if(!o.compareByGeneratedPositionsInflated(c,g[h-1])){continue}l+=","}}l+=t.encode(c.generatedColumn-e);e=c.generatedColumn;if(c.source!=null){f=this._sources.indexOf(c.source);l+=t.encode(f-u);u=f;l+=t.encode(c.originalLine-1-i);i=c.originalLine-1;l+=t.encode(c.originalColumn-n);n=c.originalColumn;if(c.name!=null){p=this._names.indexOf(c.name);l+=t.encode(p-a);a=p}}s+=l}return s};SourceMapGenerator.prototype._generateSourcesContent=function SourceMapGenerator_generateSourcesContent(e,r){return e.map((function(e){if(!this._sourcesContents){return null}if(r!=null){e=o.relative(r,e)}var n=o.toSetString(e);return Object.prototype.hasOwnProperty.call(this._sourcesContents,n)?this._sourcesContents[n]:null}),this)};SourceMapGenerator.prototype.toJSON=function SourceMapGenerator_toJSON(){var e={version:this._version,sources:this._sources.toArray(),names:this._names.toArray(),mappings:this._serializeMappings()};if(this._file!=null){e.file=this._file}if(this._sourceRoot!=null){e.sourceRoot=this._sourceRoot}if(this._sourcesContents){e.sourcesContent=this._generateSourcesContent(e.sources,e.sourceRoot)}return e};SourceMapGenerator.prototype.toString=function SourceMapGenerator_toString(){return JSON.stringify(this.toJSON())};r.h=SourceMapGenerator},351:(e,r,n)=>{var t;var o=n(591).h;var i=n(339);var a=/(\r?\n)/;var u=10;var s="$$$isSourceNode$$$";function SourceNode(e,r,n,t,o){this.children=[];this.sourceContents={};this.line=e==null?null:e;this.column=r==null?null:r;this.source=n==null?null:n;this.name=o==null?null:o;this[s]=true;if(t!=null)this.add(t)}SourceNode.fromStringWithSourceMap=function SourceNode_fromStringWithSourceMap(e,r,n){var t=new SourceNode;var o=e.split(a);var u=0;var shiftNextLine=function(){var e=getNextLine();var r=getNextLine()||"";return e+r;function getNextLine(){return u<o.length?o[u++]:undefined}};var s=1,l=0;var c=null;r.eachMapping((function(e){if(c!==null){if(s<e.generatedLine){addMappingWithCode(c,shiftNextLine());s++;l=0}else{var r=o[u]||"";var n=r.substr(0,e.generatedColumn-l);o[u]=r.substr(e.generatedColumn-l);l=e.generatedColumn;addMappingWithCode(c,n);c=e;return}}while(s<e.generatedLine){t.add(shiftNextLine());s++}if(l<e.generatedColumn){var r=o[u]||"";t.add(r.substr(0,e.generatedColumn));o[u]=r.substr(e.generatedColumn);l=e.generatedColumn}c=e}),this);if(u<o.length){if(c){addMappingWithCode(c,shiftNextLine())}t.add(o.splice(u).join(""))}r.sources.forEach((function(e){var o=r.sourceContentFor(e);if(o!=null){if(n!=null){e=i.join(n,e)}t.setSourceContent(e,o)}}));return t;function addMappingWithCode(e,r){if(e===null||e.source===undefined){t.add(r)}else{var o=n?i.join(n,e.source):e.source;t.add(new SourceNode(e.originalLine,e.originalColumn,o,r,e.name))}}};SourceNode.prototype.add=function SourceNode_add(e){if(Array.isArray(e)){e.forEach((function(e){this.add(e)}),this)}else if(e[s]||typeof e==="string"){if(e){this.children.push(e)}}else{throw new TypeError("Expected a SourceNode, string, or an array of SourceNodes and strings. Got "+e)}return this};SourceNode.prototype.prepend=function SourceNode_prepend(e){if(Array.isArray(e)){for(var r=e.length-1;r>=0;r--){this.prepend(e[r])}}else if(e[s]||typeof e==="string"){this.children.unshift(e)}else{throw new TypeError("Expected a SourceNode, string, or an array of SourceNodes and strings. Got "+e)}return this};SourceNode.prototype.walk=function SourceNode_walk(e){var r;for(var n=0,t=this.children.length;n<t;n++){r=this.children[n];if(r[s]){r.walk(e)}else{if(r!==""){e(r,{source:this.source,line:this.line,column:this.column,name:this.name})}}}};SourceNode.prototype.join=function SourceNode_join(e){var r;var n;var t=this.children.length;if(t>0){r=[];for(n=0;n<t-1;n++){r.push(this.children[n]);r.push(e)}r.push(this.children[n]);this.children=r}return this};SourceNode.prototype.replaceRight=function SourceNode_replaceRight(e,r){var n=this.children[this.children.length-1];if(n[s]){n.replaceRight(e,r)}else if(typeof n==="string"){this.children[this.children.length-1]=n.replace(e,r)}else{this.children.push("".replace(e,r))}return this};SourceNode.prototype.setSourceContent=function SourceNode_setSourceContent(e,r){this.sourceContents[i.toSetString(e)]=r};SourceNode.prototype.walkSourceContents=function SourceNode_walkSourceContents(e){for(var r=0,n=this.children.length;r<n;r++){if(this.children[r][s]){this.children[r].walkSourceContents(e)}}var t=Object.keys(this.sourceContents);for(var r=0,n=t.length;r<n;r++){e(i.fromSetString(t[r]),this.sourceContents[t[r]])}};SourceNode.prototype.toString=function SourceNode_toString(){var e="";this.walk((function(r){e+=r}));return e};SourceNode.prototype.toStringWithSourceMap=function SourceNode_toStringWithSourceMap(e){var r={code:"",line:1,column:0};var n=new o(e);var t=false;var i=null;var a=null;var s=null;var l=null;this.walk((function(e,o){r.code+=e;if(o.source!==null&&o.line!==null&&o.column!==null){if(i!==o.source||a!==o.line||s!==o.column||l!==o.name){n.addMapping({source:o.source,original:{line:o.line,column:o.column},generated:{line:r.line,column:r.column},name:o.name})}i=o.source;a=o.line;s=o.column;l=o.name;t=true}else if(t){n.addMapping({generated:{line:r.line,column:r.column}});i=null;t=false}for(var c=0,p=e.length;c<p;c++){if(e.charCodeAt(c)===u){r.line++;r.column=0;if(c+1===p){i=null;t=false}else if(t){n.addMapping({source:o.source,original:{line:o.line,column:o.column},generated:{line:r.line,column:r.column},name:o.name})}}else{r.column++}}}));this.walkSourceContents((function(e,r){n.setSourceContent(e,r)}));return{code:r.code,map:n}};t=SourceNode},339:(e,r)=>{function getArg(e,r,n){if(r in e){return e[r]}else if(arguments.length===3){return n}else{throw new Error('"'+r+'" is a required argument.')}}r.getArg=getArg;var n=/^(?:([\w+\-.]+):)?\/\/(?:(\w+:\w+)@)?([\w.-]*)(?::(\d+))?(.*)$/;var t=/^data:.+\,.+$/;function urlParse(e){var r=e.match(n);if(!r){return null}return{scheme:r[1],auth:r[2],host:r[3],port:r[4],path:r[5]}}r.urlParse=urlParse;function urlGenerate(e){var r="";if(e.scheme){r+=e.scheme+":"}r+="//";if(e.auth){r+=e.auth+"@"}if(e.host){r+=e.host}if(e.port){r+=":"+e.port}if(e.path){r+=e.path}return r}r.urlGenerate=urlGenerate;function normalize(e){var n=e;var t=urlParse(e);if(t){if(!t.path){return e}n=t.path}var o=r.isAbsolute(n);var i=n.split(/\/+/);for(var a,u=0,s=i.length-1;s>=0;s--){a=i[s];if(a==="."){i.splice(s,1)}else if(a===".."){u++}else if(u>0){if(a===""){i.splice(s+1,u);u=0}else{i.splice(s,2);u--}}}n=i.join("/");if(n===""){n=o?"/":"."}if(t){t.path=n;return urlGenerate(t)}return n}r.normalize=normalize;function join(e,r){if(e===""){e="."}if(r===""){r="."}var n=urlParse(r);var o=urlParse(e);if(o){e=o.path||"/"}if(n&&!n.scheme){if(o){n.scheme=o.scheme}return urlGenerate(n)}if(n||r.match(t)){return r}if(o&&!o.host&&!o.path){o.host=r;return urlGenerate(o)}var i=r.charAt(0)==="/"?r:normalize(e.replace(/\/+$/,"")+"/"+r);if(o){o.path=i;return urlGenerate(o)}return i}r.join=join;r.isAbsolute=function(e){return e.charAt(0)==="/"||n.test(e)};function relative(e,r){if(e===""){e="."}e=e.replace(/\/$/,"");var n=0;while(r.indexOf(e+"/")!==0){var t=e.lastIndexOf("/");if(t<0){return r}e=e.slice(0,t);if(e.match(/^([^\/]+:\/)?\/*$/)){return r}++n}return Array(n+1).join("../")+r.substr(e.length+1)}r.relative=relative;var o=function(){var e=Object.create(null);return!("__proto__"in e)}();function identity(e){return e}function toSetString(e){if(isProtoString(e)){return"$"+e}return e}r.toSetString=o?identity:toSetString;function fromSetString(e){if(isProtoString(e)){return e.slice(1)}return e}r.fromSetString=o?identity:fromSetString;function isProtoString(e){if(!e){return false}var r=e.length;if(r<9){return false}if(e.charCodeAt(r-1)!==95||e.charCodeAt(r-2)!==95||e.charCodeAt(r-3)!==111||e.charCodeAt(r-4)!==116||e.charCodeAt(r-5)!==111||e.charCodeAt(r-6)!==114||e.charCodeAt(r-7)!==112||e.charCodeAt(r-8)!==95||e.charCodeAt(r-9)!==95){return false}for(var n=r-10;n>=0;n--){if(e.charCodeAt(n)!==36){return false}}return true}function compareByOriginalPositions(e,r,n){var t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0||n){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0){return t}t=e.generatedLine-r.generatedLine;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByOriginalPositions=compareByOriginalPositions;function compareByGeneratedPositionsDeflated(e,r,n){var t=e.generatedLine-r.generatedLine;if(t!==0){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0||n){return t}t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsDeflated=compareByGeneratedPositionsDeflated;function strcmp(e,r){if(e===r){return 0}if(e===null){return 1}if(r===null){return-1}if(e>r){return 1}return-1}function compareByGeneratedPositionsInflated(e,r){var n=e.generatedLine-r.generatedLine;if(n!==0){return n}n=e.generatedColumn-r.generatedColumn;if(n!==0){return n}n=strcmp(e.source,r.source);if(n!==0){return n}n=e.originalLine-r.originalLine;if(n!==0){return n}n=e.originalColumn-r.originalColumn;if(n!==0){return n}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsInflated=compareByGeneratedPositionsInflated;function parseSourceMapInput(e){return JSON.parse(e.replace(/^\)]}'[^\n]*\n/,""))}r.parseSourceMapInput=parseSourceMapInput;function computeSourceURL(e,r,n){r=r||"";if(e){if(e[e.length-1]!=="/"&&r[0]!=="/"){e+="/"}r=e+r}if(n){var t=urlParse(n);if(!t){throw new Error("sourceMapURL could not be parsed")}if(t.path){var o=t.path.lastIndexOf("/");if(o>=0){t.path=t.path.substring(0,o+1)}}r=join(urlGenerate(t),r)}return normalize(r)}r.computeSourceURL=computeSourceURL},997:(e,r,n)=>{n(591).h;r.SourceMapConsumer=n(952).SourceMapConsumer;n(351)},284:(e,r,n)=>{e=n.nmd(e);var t=n(997).SourceMapConsumer;var o=n(17);var i;try{i=n(147);if(!i.existsSync||!i.readFileSync){i=null}}catch(e){}var a=n(650);function dynamicRequire(e,r){return e.require(r)}var u=false;var s=false;var l=false;var c="auto";var p={};var f={};var g=/^data:application\/json[^,]+base64,/;var h=[];var d=[];function isInBrowser(){if(c==="browser")return true;if(c==="node")return false;return typeof window!=="undefined"&&typeof XMLHttpRequest==="function"&&!(window.require&&window.module&&window.process&&window.process.type==="renderer")}function hasGlobalProcessEventEmitter(){return typeof process==="object"&&process!==null&&typeof process.on==="function"}function globalProcessVersion(){if(typeof process==="object"&&process!==null){return process.version}else{return""}}function globalProcessStderr(){if(typeof process==="object"&&process!==null){return process.stderr}}function globalProcessExit(e){if(typeof process==="object"&&process!==null&&typeof process.exit==="function"){return process.exit(e)}}function handlerExec(e){return function(r){for(var n=0;n<e.length;n++){var t=e[n](r);if(t){return t}}return null}}var m=handlerExec(h);h.push((function(e){e=e.trim();if(/^file:/.test(e)){e=e.replace(/file:\/\/\/(\w:)?/,(function(e,r){return r?"":"/"}))}if(e in p){return p[e]}var r="";try{if(!i){var n=new XMLHttpRequest;n.open("GET",e,false);n.send(null);if(n.readyState===4&&n.status===200){r=n.responseText}}else if(i.existsSync(e)){r=i.readFileSync(e,"utf8")}}catch(e){}return p[e]=r}));function supportRelativeURL(e,r){if(!e)return r;var n=o.dirname(e);var t=/^\w+:\/\/[^\/]*/.exec(n);var i=t?t[0]:"";var a=n.slice(i.length);if(i&&/^\/\w\:/.test(a)){i+="/";return i+o.resolve(n.slice(i.length),r).replace(/\\/g,"/")}return i+o.resolve(n.slice(i.length),r)}function retrieveSourceMapURL(e){var r;if(isInBrowser()){try{var n=new XMLHttpRequest;n.open("GET",e,false);n.send(null);r=n.readyState===4?n.responseText:null;var t=n.getResponseHeader("SourceMap")||n.getResponseHeader("X-SourceMap");if(t){return t}}catch(e){}}r=m(e);var o=/(?:\/\/[@#][\s]*sourceMappingURL=([^\s'"]+)[\s]*$)|(?:\/\*[@#][\s]*sourceMappingURL=([^\s*'"]+)[\s]*(?:\*\/)[\s]*$)/gm;var i,a;while(a=o.exec(r))i=a;if(!i)return null;return i[1]}var v=handlerExec(d);d.push((function(e){var r=retrieveSourceMapURL(e);if(!r)return null;var n;if(g.test(r)){var t=r.slice(r.indexOf(",")+1);n=a(t,"base64").toString();r=e}else{r=supportRelativeURL(e,r);n=m(r)}if(!n){return null}return{url:r,map:n}}));function mapSourcePosition(e){var r=f[e.source];if(!r){var n=v(e.source);if(n){r=f[e.source]={url:n.url,map:new t(n.map)};if(r.map.sourcesContent){r.map.sources.forEach((function(e,n){var t=r.map.sourcesContent[n];if(t){var o=supportRelativeURL(r.url,e);p[o]=t}}))}}else{r=f[e.source]={url:null,map:null}}}if(r&&r.map&&typeof r.map.originalPositionFor==="function"){var o=r.map.originalPositionFor(e);if(o.source!==null){o.source=supportRelativeURL(r.url,o.source);return o}}return e}function mapEvalOrigin(e){var r=/^eval at ([^(]+) \((.+):(\d+):(\d+)\)$/.exec(e);if(r){var n=mapSourcePosition({source:r[2],line:+r[3],column:r[4]-1});return"eval at "+r[1]+" ("+n.source+":"+n.line+":"+(n.column+1)+")"}r=/^eval at ([^(]+) \((.+)\)$/.exec(e);if(r){return"eval at "+r[1]+" ("+mapEvalOrigin(r[2])+")"}return e}function CallSiteToString(){var e;var r="";if(this.isNative()){r="native"}else{e=this.getScriptNameOrSourceURL();if(!e&&this.isEval()){r=this.getEvalOrigin();r+=", "}if(e){r+=e}else{r+="<anonymous>"}var n=this.getLineNumber();if(n!=null){r+=":"+n;var t=this.getColumnNumber();if(t){r+=":"+t}}}var o="";var i=this.getFunctionName();var a=true;var u=this.isConstructor();var s=!(this.isToplevel()||u);if(s){var l=this.getTypeName();if(l==="[object Object]"){l="null"}var c=this.getMethodName();if(i){if(l&&i.indexOf(l)!=0){o+=l+"."}o+=i;if(c&&i.indexOf("."+c)!=i.length-c.length-1){o+=" [as "+c+"]"}}else{o+=l+"."+(c||"<anonymous>")}}else if(u){o+="new "+(i||"<anonymous>")}else if(i){o+=i}else{o+=r;a=false}if(a){o+=" ("+r+")"}return o}function cloneCallSite(e){var r={};Object.getOwnPropertyNames(Object.getPrototypeOf(e)).forEach((function(n){r[n]=/^(?:is|get)/.test(n)?function(){return e[n].call(e)}:e[n]}));r.toString=CallSiteToString;return r}function wrapCallSite(e,r){if(r===undefined){r={nextPosition:null,curPosition:null}}if(e.isNative()){r.curPosition=null;return e}var n=e.getFileName()||e.getScriptNameOrSourceURL();if(n){var t=e.getLineNumber();var o=e.getColumnNumber()-1;var i=/^v(10\.1[6-9]|10\.[2-9][0-9]|10\.[0-9]{3,}|1[2-9]\d*|[2-9]\d|\d{3,}|11\.11)/;var a=i.test(globalProcessVersion())?0:62;if(t===1&&o>a&&!isInBrowser()&&!e.isEval()){o-=a}var u=mapSourcePosition({source:n,line:t,column:o});r.curPosition=u;e=cloneCallSite(e);var s=e.getFunctionName;e.getFunctionName=function(){if(r.nextPosition==null){return s()}return r.nextPosition.name||s()};e.getFileName=function(){return u.source};e.getLineNumber=function(){return u.line};e.getColumnNumber=function(){return u.column+1};e.getScriptNameOrSourceURL=function(){return u.source};return e}var l=e.isEval()&&e.getEvalOrigin();if(l){l=mapEvalOrigin(l);e=cloneCallSite(e);e.getEvalOrigin=function(){return l};return e}return e}function prepareStackTrace(e,r){if(l){p={};f={}}var n=e.name||"Error";var t=e.message||"";var o=n+": "+t;var i={nextPosition:null,curPosition:null};var a=[];for(var u=r.length-1;u>=0;u--){a.push("\n at "+wrapCallSite(r[u],i));i.nextPosition=i.curPosition}i.curPosition=i.nextPosition=null;return o+a.reverse().join("")}function getErrorSource(e){var r=/\n at [^(]+ \((.*):(\d+):(\d+)\)/.exec(e.stack);if(r){var n=r[1];var t=+r[2];var o=+r[3];var a=p[n];if(!a&&i&&i.existsSync(n)){try{a=i.readFileSync(n,"utf8")}catch(e){a=""}}if(a){var u=a.split(/(?:\r\n|\r|\n)/)[t-1];if(u){return n+":"+t+"\n"+u+"\n"+new Array(o).join(" ")+"^"}}}return null}function printErrorAndExit(e){var r=getErrorSource(e);var n=globalProcessStderr();if(n&&n._handle&&n._handle.setBlocking){n._handle.setBlocking(true)}if(r){console.error();console.error(r)}console.error(e.stack);globalProcessExit(1)}function shimEmitUncaughtException(){var e=process.emit;process.emit=function(r){if(r==="uncaughtException"){var n=arguments[1]&&arguments[1].stack;var t=this.listeners(r).length>0;if(n&&!t){return printErrorAndExit(arguments[1])}}return e.apply(this,arguments)}}var S=h.slice(0);var _=d.slice(0);r.wrapCallSite=wrapCallSite;r.getErrorSource=getErrorSource;r.mapSourcePosition=mapSourcePosition;r.retrieveSourceMap=v;r.install=function(r){r=r||{};if(r.environment){c=r.environment;if(["node","browser","auto"].indexOf(c)===-1){throw new Error("environment "+c+" was unknown. Available options are {auto, browser, node}")}}if(r.retrieveFile){if(r.overrideRetrieveFile){h.length=0}h.unshift(r.retrieveFile)}if(r.retrieveSourceMap){if(r.overrideRetrieveSourceMap){d.length=0}d.unshift(r.retrieveSourceMap)}if(r.hookRequire&&!isInBrowser()){var n=dynamicRequire(e,"module");var t=n.prototype._compile;if(!t.__sourceMapSupport){n.prototype._compile=function(e,r){p[r]=e;f[r]=undefined;return t.call(this,e,r)};n.prototype._compile.__sourceMapSupport=true}}if(!l){l="emptyCacheBetweenOperations"in r?r.emptyCacheBetweenOperations:false}if(!u){u=true;Error.prepareStackTrace=prepareStackTrace}if(!s){var o="handleUncaughtExceptions"in r?r.handleUncaughtExceptions:true;try{var i=dynamicRequire(e,"worker_threads");if(i.isMainThread===false){o=false}}catch(e){}if(o&&hasGlobalProcessEventEmitter()){s=true;shimEmitUncaughtException()}}};r.resetRetrieveHandlers=function(){h.length=0;d.length=0;h=S.slice(0);d=_.slice(0);v=handlerExec(d);m=handlerExec(h)}},147:e=>{"use strict";e.exports=require("fs")},17:e=>{"use strict";e.exports=require("path")}};var r={};function __webpack_require__(n){var t=r[n];if(t!==undefined){return t.exports}var o=r[n]={id:n,loaded:false,exports:{}};var i=true;try{e[n](o,o.exports,__webpack_require__);i=false}finally{if(i)delete r[n]}o.loaded=true;return o.exports}(()=>{__webpack_require__.nmd=e=>{e.paths=[];if(!e.children)e.children=[];return e}})();if(typeof __webpack_require__!=="undefined")__webpack_require__.ab=__dirname+"/";var n={};(()=>{__webpack_require__(284).install()})();module.exports=n})();

Check failure

Code scanning / CodeQL

Incorrect suffix check High

This suffix check is missing a length comparison to correctly handle indexOf returning -1.
@ramonpetgrave64
Copy link
Collaborator Author

LGTM overall. Can we create a dedicated action for the detection of self-hosted runners? It will make the code more re-usable when we need it.

I think you're right. And it should be easier to write a e2e test for that way

I've added it as a separate action. Still w work-in-progress, however, until we can get a good e2e story.

@ramonpetgrave64
Copy link
Collaborator Author

ramonpetgrave64 commented Aug 29, 2024

I found a way by scanning workflow logs, plus a new runner.environment context we should probably use in all our workflows.

@ianlewis
Copy link
Member

I found a way by scanning workflow logs, plus a new runner.environment context we should probably use in all our workflows.

Yeah, I think runner.environment is really what we are looking for. I seem to remember that a job looking up its own logs was problematic for some reason but I might be mistaken as I can't remember specifics.

@ramonpetgrave64
Copy link
Collaborator Author

After trying out the context, I see it only works at the step level, and not at the job level. This means we can prevent accidental uses of self-hosted runners. But to try to fail the job, I think will always require an execution of the ‘run’ on the runner, like ‘exit 1’. If the runner was truly malicious, then running that command is a self-certification.

At best, I found that a separate job that performs the signing can examine the logs of the job that performs the build. And then the verifier can examine the certificate/oidc claims to assert that the signing job’s runner was github-hosted. This then implies that the build job’s runner was github-hosted.

@ianlewis
Copy link
Member

ianlewis commented Sep 1, 2024

After trying out the context, I see it only works at the step level, and not at the job level. This means we can prevent accidental uses of self-hosted runners. But to try to fail the job, I think will always require an execution of the ‘run’ on the runner, like ‘exit 1’. If the runner was truly malicious, then running that command is a self-certification.

At best, I found that a separate job that performs the signing can examine the logs of the job that performs the build. And then the verifier can examine the certificate/oidc claims to assert that the signing job’s runner was github-hosted. This then implies that the build job’s runner was github-hosted.

I wonder if we can use if: {{ runner.environment }} == "github-hosted" and check to see that the job has run? Or maybe we need to put that check on every job that we run?

Regardless I think we should add that check to the verifier too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[feature] Generator build level
5 participants