fix: resolve code scan security vulnerabilities

[fok666]

Summary

Fixes multiple security vulnerabilities identified by GitHub CodeQL scanning and security best practices.

Changes Made

CWE-78: Command Injection Vulnerabilities Fixed

• Quote variables in seq command to prevent word splitting
• Quote EventId in vmss_monitor.sh with proper JSON Content-Type

Security Improvements

• Replace deprecated apt-key with gpg --dearmor
• Fix insecure curl piping to bash
• Add security documentation for privileged mode and NOPASSWD sudo
• Improve curl error handling with standardized flags
• Quote sensitive token variables

Security Impact

• Prevents command injection attacks (CWE-78)
• Reduces supply chain attack risks
• Improves shell script security posture

[gemini-code-assist]

Summary of Changes

Hello @fok666, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the security posture of the codebase by addressing several identified vulnerabilities and implementing security best practices. It mitigates potential command injection risks, improves the safety of external script execution, updates package management to current secure standards, and adds crucial documentation regarding privileged operations. Additionally, it updates the README with new profile information.

Highlights

• Command Injection Prevention (CWE-78): Addressed potential command injection vulnerabilities by quoting variables in the seq command in run.sh, ensuring proper handling of EventId with Content-Type in vmss_monitor.sh, and quoting sensitive token variables in start.sh.
• Enhanced curl Usage for Security: Replaced insecure curl | bash patterns with safer download-to-file-then-execute methods for Azure CLI and Kustomize installations in Dockerfile. Improved curl error handling by consistently using the -f (fail-fast) flag in ec2_monitor.sh and vmss_monitor.sh.
• Updated Package Management Best Practices: Migrated from the deprecated apt-key add to the more secure gpg --dearmor method for adding APT repositories in Dockerfile.
• Improved Security Documentation: Added explicit security notes in Dockerfile and run.sh regarding the use of NOPASSWD:ALL for sudo and --privileged Docker mode, highlighting their implications and suggesting alternatives.
• README Update: Introduced a new section in README.md detailing available pre-configured runner profiles.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the security posture of the GitHub Actions runner images and scripts by addressing several vulnerabilities. Key changes include preventing command injection by consistently quoting variables and command substitutions, replacing the deprecated and less secure apt-key with gpg --dearmor for adding repository keys, and enhancing the safety of script execution by avoiding direct piping of curl output to bash. Additionally, important security considerations regarding NOPASSWD sudo and privileged Docker mode are now documented, providing better transparency and guidance for users. These changes align with security best practices and the repository's shell scripting guidelines, making the runners more robust against potential attacks.

[gemini-code-assist]

The change from piping curl output directly to bash to first downloading the script and then executing it is a critical security improvement. This prevents potential command injection if the remote script's content were to be compromised or unexpectedly altered, as it allows for inspection before execution. This aligns with secure shell scripting practices.

    curl -sLS "https://aka.ms/InstallAzureCLIDeb" -o /tmp/install-azure-cli.sh \
    && bash /tmp/install-azure-cli.sh \
    && rm /tmp/install-azure-cli.sh