feat: add sanitize function dynamic labels

Author: edersonbrilhante

examples/default/main.tf

@@ -51,7 +51,9 @@ module "runners" {
   # runners_lambda_zip                = "../lambdas-download/runners.zip"
 
   enable_organization_runners = true
-  runner_extra_labels         = ["default", "example"]
+  # Note: labels starting with `ghr-` are ignored during webhook label matching
+  # when `enable_dynamic_labels` is enabled.
+  runner_extra_labels = ["default", "example"]
 
   # enable access to the runners via SSM
   enable_ssm_on_runners = true

examples/multi-runner/main.tf

@@ -157,7 +157,8 @@ module "runners" {
   #   }
   # }
 
-  # Enable dyamic lables
+  # Enable dynamic labels
+  # When enabled, labels starting with `ghr-` are ignored during webhook label matching.
   # enable_dynamic_labels = true
 }
 

lambdas/functions/webhook/src/runners/dispatch.test.ts

@@ -216,18 +216,79 @@ describe('Dispatcher', () => {
       expect(canRunJob(workflowLabels, runnerLabels, true, false)).toBe(false);
     });
 
-    it('should filter out ghr- and ghr-run- labels when enableDynamicLabels is true.', () => {
+    it('should filter out ghr- labels when enableDynamicLabels is true.', () => {
       const workflowLabels = ['self-hosted', 'linux', 'x64', 'ghr-ec2-instance-type:t3.large', 'ghr-run-id:12345'];
       const runnerLabels = [['self-hosted', 'linux', 'x64']];
       expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
     });
 
-    it('should NOT filter out ghr- and ghr-run- labels when enableDynamicLabels is false.', () => {
+    it('should NOT filter out ghr- labels when enableDynamicLabels is false.', () => {
       const workflowLabels = ['self-hosted', 'linux', 'x64', 'ghr-ec2-instance-type:t3.large'];
       const runnerLabels = [['self-hosted', 'linux', 'x64']];
       expect(canRunJob(workflowLabels, runnerLabels, true, false)).toBe(false);
     });
   });
+
+  describe('sanitizeGhrLabels (via canRunJob with enableDynamicLabels=true)', () => {
+    it('should keep valid ghr- labels with allowed characters (alphanumeric, dot, dash, colon, slash)', () => {
+      const workflowLabels = ['self-hosted', 'ghr-ec2-instance-type:t3.large'];
+      const runnerLabels = [['self-hosted', 'ghr-ec2-instance-type:t3.large']];
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should keep ghr- labels with path-like values containing slashes', () => {
+      const workflowLabels = ['self-hosted', 'ghr-image:my/custom/image'];
+      const runnerLabels = [['self-hosted', 'ghr-image:my/custom/image']];
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should strip ghr- labels that exceed 128 characters', () => {
+      const longLabel = 'ghr-' + 'a'.repeat(125); // 129 chars total, exceeds 128
+      const workflowLabels = ['self-hosted', 'linux', longLabel];
+      const runnerLabels = [['self-hosted', 'linux']];
+      // Long label is stripped, remaining labels match
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should keep ghr- labels that are exactly 128 characters', () => {
+      const exactLabel = 'ghr-' + 'a'.repeat(124); // exactly 128 chars
+      const workflowLabels = ['self-hosted', exactLabel];
+      const runnerLabels = [['self-hosted', exactLabel]];
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should strip ghr- labels with invalid characters (spaces)', () => {
+      const workflowLabels = ['self-hosted', 'linux', 'ghr-bad label'];
+      const runnerLabels = [['self-hosted', 'linux']];
+      // Invalid label is stripped, remaining labels match
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should strip ghr- labels with invalid characters (special chars)', () => {
+      const workflowLabels = ['self-hosted', 'linux', 'ghr-inject;rm -rf'];
+      const runnerLabels = [['self-hosted', 'linux']];
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should never strip non-ghr labels regardless of content', () => {
+      const workflowLabels = ['self-hosted', 'linux', 'x64'];
+      const runnerLabels = [['self-hosted', 'linux', 'x64']];
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+
+    it('should handle a mix of valid ghr-, invalid ghr-, and regular labels', () => {
+      const longLabel = 'ghr-' + 'x'.repeat(125); // 129 chars, will be stripped
+      const workflowLabels = [
+        'self-hosted',
+        'linux',
+        'ghr-valid:value',        // valid, kept
+        'ghr-bad label',           // invalid chars, stripped
+        longLabel,                 // too long, stripped
+      ];
+      const runnerLabels = [['self-hosted', 'linux', 'ghr-valid:value']];
+      expect(canRunJob(workflowLabels, runnerLabels, true, true)).toBe(true);
+    });
+  });
 });
 
 function mockSSMResponse(runnerConfigInput?: RunnerConfig) {

lambdas/functions/webhook/src/runners/dispatch.ts

@@ -85,24 +85,43 @@ async function handleWorkflowJob(
   return { statusCode: 202, body: notAcceptedErrorMsg };
 }
 
+function sanitizeGhrLabels(labels: string[]): string[] {
+  const GHR_LABEL_MAX_LENGTH = 128;
+  const GHR_LABEL_VALUE_PATTERN = /^[a-zA-Z0-9._/\-:]+$/;
+
+  return labels
+    .map((label) => {
+      if (!label.startsWith('ghr-')) return label;
+
+      if (label.length > GHR_LABEL_MAX_LENGTH) {
+        logger.warn('Dynamic label exceeds max length, stripping', { label: label.substring(0, 40) });
+        return null;
+      }
+      if (!GHR_LABEL_VALUE_PATTERN.test(label)) {
+        logger.warn('Dynamic label contains invalid characters, stripping', { label });
+        return null;
+      }
+      return null;
+    })
+    .filter((l): l is string => l !== null);
+}
+
 export function canRunJob(
   workflowJobLabels: string[],
   runnerLabelsMatchers: string[][],
   workflowLabelCheckAll: boolean,
   enableDynamicLabels: boolean,
 ): boolean {
-  // Filter out ghr- and ghr-run- labels only if dynamic labels config is enabled
-  const filteredLabels = enableDynamicLabels
-    ? workflowJobLabels.filter((label) => !label.startsWith('ghr-'))
-    : workflowJobLabels;
+  // Filter out ghr- labels only and sanitize them if dynamic labels is enabled, otherwise keep all labels as is for matching.
+  const sanitizedLabels = enableDynamicLabels ? sanitizeGhrLabels(workflowJobLabels) : workflowJobLabels;
 
   runnerLabelsMatchers = runnerLabelsMatchers.map((runnerLabel) => {
     return runnerLabel.map((label) => label.toLowerCase());
   });
   const matchLabels = workflowLabelCheckAll
-    ? runnerLabelsMatchers.some((rl) => filteredLabels.every((wl) => rl.includes(wl.toLowerCase())))
-    : runnerLabelsMatchers.some((rl) => filteredLabels.some((wl) => rl.includes(wl.toLowerCase())));
-  const match = filteredLabels.length === 0 ? !matchLabels : matchLabels;
+    ? runnerLabelsMatchers.some((rl) => sanitizedLabels.every((wl) => rl.includes(wl.toLowerCase())))
+    : runnerLabelsMatchers.some((rl) => sanitizedLabels.some((wl) => rl.includes(wl.toLowerCase())));
+  const match = sanitizedLabels.length === 0 ? !matchLabels : matchLabels;
 
   logger.debug(
     `Received workflow job event with labels: '${JSON.stringify(workflowJobLabels)}'. The event does ${

variables.tf

@@ -92,7 +92,7 @@ variable "runner_disable_default_labels" {
 }
 
 variable "runner_extra_labels" {
-  description = "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `enable_workflow_job_labels_check`. GitHub read-only labels should not be provided."
+  description = "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `enable_workflow_job_labels_check`. GitHub read-only labels should not be provided. Note: labels starting with `ghr-` are ignored during webhook label matching when `enable_dynamic_labels` is enabled."
   type        = list(string)
   default     = []
 
@@ -674,7 +674,7 @@ variable "enable_ephemeral_runners" {
 }
 
 variable "enable_dynamic_labels" {
-  description = "Experimental! Can be removed / changed without trigger a major release. Enable dynamic EC2 configs based on workflow job labels. When enabled, jobs can request specific configs via the 'gh-ec2-<config type key>:<config type value>' label (e.g., 'gh-ec2-instance-type:t3.large')."
+  description = "Experimental! Can be removed / changed without trigger a major release. Enable dynamic EC2 configs based on workflow job labels. When enabled, jobs can request specific configs via the 'gh-ec2-<config type key>:<config type value>' label (e.g., 'gh-ec2-instance-type:t3.large'). When enabled, labels starting with `ghr-` are ignored during webhook label matching."
   type        = bool
   default     = false
 }