Comments (3)
zkamvar
commented on June 14, 2024
Interesting development: The PR action that is run comes from the repository of the requestor.
from sandpaper.
zkamvar
commented on June 14, 2024
I've confirmed that it is possible for someone to modify a PR action to create bogus artifacts: zkamvar/testme@348d663
What I need is a sentinel action using pull_request_target to get a list of the changed files since that action will run in the base of the repository.
from sandpaper.
zkamvar
commented on June 14, 2024
Update: Based on the workflow in https://securitylab.github.com/research/github-actions-preventing-pwn-requests, I've created an action that will check that the incoming PR is valid and conditionally run the other steps based on that action: https://github.com/zkamvar/check-valid-pr/
In action, it looks like this:
Because it's in the action that's triggered by the completion of another action, we don't have to worry about the action creating bogus artifacts to spoof another pull request that IS valid. That being said, at the moment, it's possible to force the PR to successfully complete the action it will take the outputs and comment on a separate PR if it is still an open PR: zkamvar/testme#23 (comment)
from sandpaper.
Related Issues (20)
- 404 page setup link in menu does not work for nested errors HOT 1
- Test for manage_deps() is taking 200 seconds to run locally
- Allow relative paths in navigation in config.yaml or allow transparently using symlinks HOT 1
- Bug: XML Parsing error if instructor notes are empty HOT 2
- Missing trailing newline at the end of files causes warning HOT 1
- Bug: When referring to the same footnote multiple times, it works but the footnote is duplicated HOT 3
- Feature request: Adopt Citation File Format (CITATION.cff file) HOT 5
- Lesson build fails when an episode name starts with the word 'images' HOT 6
- Testing installation fails at create_lesson() HOT 4
- empty learner content causes failure in deployed 404 page
- setup links with fragments do not point to correct fragments in website
- The width of the 'Questions' column at the beginning of the lesson doesn't scale properly HOT 2
- Warning messages: In page_globals$meta : partial match of 'meta' to 'metadata' HOT 1
- Bug: `build_markdown()` fails when only episode Markdown files are present HOT 1
- Add build_path option for sandpaper::serve HOT 6
- Do not rewrite special links such as mailto: (and similar non-path links) HOT 5
- plain text all in one page version HOT 2
- Cannot change website elements to a different language HOT 2
- Search box not working in published lessons HOT 3
- [bug] [0.16.0] callout block titles with markup have duplicated text
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sandpaper.