Merge branch 'main' into createcard

Author: xcorail

.github/actions/check/check-replication.js

@@ -11,11 +11,13 @@ const run = async (): Promise<void> => {
         core.setFailed(`Internal error. Cannot access the internal repo ${internalRepo}. Aborting`)
         return
     } else {
+        core.debug(`Retrieved ${internalIssues?.length} internal issues`)
         const externalIssues = await getIssueList(github.context.repo.owner, github.context.repo.repo, process.env['GITHUB_TOKEN'], true, true)
         if(!externalIssues) {
             core.setFailed(`Internal error when retrieving all issues.`)
             return
         }
+        core.debug(`Retrieved ${externalIssues?.length} external issues`)
         let failed = false
         externalIssues.forEach( issue => {
             const ref = internalIssueAlreadyCreated(issue?.html_url, internalIssues)

.github/actions/check/check-replication.ts

@@ -15,29 +15,35 @@ export const getIssueList = async (owner: string, repo: string, token: string |
         const octokit = new github.GitHub(token)
         const issueState: Issue_state = open? 'open' : 'all'
         // const labelFilter: string = replicate.BOUNTY_LABELS.join(',')
-        const issues = await octokit.issues.listForRepo({
-            owner, 
-            repo,
-            state: issueState,
-            per_page: per_page? per_page : 100 // TODO: implement proper pagination
-            // labels: labelFilter -- Does not work properly
-        })
-
-        issues.data.forEach(issue => {
-            const bountyLabel = checkBountyLabels? issue.labels.some(label => {
-                return replicate.BOUNTY_LABELS.includes(label.name as replicate.BountyType)
-            }) : undefined
-            if(!checkBountyLabels || bountyLabel){
-                let item: Issue_info = {
-                    title: issue.title,
-                    author: issue.user?.login,
-                    body: issue.body? issue.body : '',
-                    number: issue.number,
-                    html_url: issue.html_url
+        const issuesPerPage = per_page? per_page : 50
+        let pageNb = 0
+        do {
+            const issues = await octokit.issues.listForRepo({
+                owner, 
+                repo,
+                state: issueState,
+                per_page: issuesPerPage,
+                page: pageNb
+                // labels: labelFilter -- Does not work properly
+            })
+    
+            issues.data.forEach(issue => {
+                const bountyLabel = checkBountyLabels? issue.labels.some(label => {
+                    return replicate.BOUNTY_LABELS.includes(label.name as replicate.BountyType)
+                }) : undefined
+                if(!checkBountyLabels || bountyLabel){
+                    let item: Issue_info = {
+                        title: issue.title,
+                        author: issue.user?.login,
+                        body: issue.body? issue.body : '',
+                        number: issue.number,
+                        html_url: issue.html_url
+                    }
+                    result.push(item)
                 }
-                result.push(item)
-            }
-        });
+            });
+            pageNb = (issues.data.length < issuesPerPage)? -1 : pageNb + 1
+        } while (pageNb >= 0)
         return result
     } catch(error) {
         core.debug(error.message)

.github/actions/replicate/issues.js

@@ -11,7 +11,7 @@ type GitHubIssue = { [key: string]: any, number: number, html_url?: string | und
 
 const COMMENT_TASK_LIST_AFO = `## Task List
 
-- **If this is your first time in this process, have a look at that [5 min video](https://drive.google.com/drive/folders/1Jq6UfqP3CRF9Iafde86_IPAQPfdgH5rR)**
+- **If this is your first time in this process, have a look at that [5 min video](https://drive.google.com/file/d/1Uy3JukURoSk-2Bq7EjyagVdpsyvKI67E)**
 - **Visit the [documented process](https://github.com/github/pe-security-lab/blob/main/docs/bug_bounty.md)**
 
 - [ ] CodeQL Initial assessment - In case of rejection, please record your decision in the comment below:

.github/actions/replicate/issues.ts

@@ -1,4 +1,4 @@
-name: 'Bounty issue replication workflow'
+name: 'Bounty issue manual replication check'
 on: workflow_dispatch
 
 jobs:

.github/actions/replicate/replicate.js

@@ -1,4 +1,4 @@
-name: 'Bounty issue replication workflow'
+name: 'Bounty issue replication check'
 on: 
   schedule: 
     - cron: '0 17 * * *'

.github/actions/replicate/replicate.ts

@@ -0,0 +1,2 @@
+Created by @adityasharad, extended by @jarlob.  
+Read more on [https://securitylab.github.com/research/github-actions-untrusted-input](https://securitylab.github.com/research/github-actions-untrusted-input).