Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

workflows: fix usage of untrusted input in check links #3029

Merged
merged 1 commit into from
Oct 22, 2024
Merged

workflows: fix usage of untrusted input in check links #3029

merged 1 commit into from
Oct 22, 2024

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Oct 22, 2024

A user could create a branch with a particular name that would trigger a command injection because we use this input directly in the shell scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa piergiorgio.ladisa@hotmail.it

@mtardy mtardy added the release-note/ci This PR makes changes to the CI. label Oct 22, 2024
@mtardy mtardy requested a review from ferozsalam October 22, 2024 09:27
@mtardy mtardy requested review from willfindlay and a team as code owners October 22, 2024 09:27
@mtardy
workflows: fix usage of untrusted input in check links
f19bbe1 
A user could create a branch with a particular name that would trigger a
command injection because we use this input directly in the shell
scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit
GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the
permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa <piergiorgio.ladisa@hotmail.it>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy mtardy force-pushed the pr/mtardy/cmd-injection branch from 630be43 to f19bbe1 Compare October 22, 2024 09:31
@mtardy mtardy merged commit 2017609 into main Oct 22, 2024
40 checks passed
@mtardy mtardy deleted the pr/mtardy/cmd-injection branch October 22, 2024 09:54
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ferozsalam ferozsalam ferozsalam approved these changes

@kevsecurity kevsecurity kevsecurity approved these changes

@willfindlay willfindlay Awaiting requested review from willfindlay

Assignees
No one assigned
Labels
release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mtardy @ferozsalam @kevsecurity