Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: fixed the dangerous workflow #439

Closed
wants to merge 1 commit into from
Closed

chore: fixed the dangerous workflow #439

wants to merge 1 commit into from

Conversation

naveensrinivasan
Copy link
Member

@naveensrinivasan naveensrinivasan commented Feb 18, 2024
edited
Loading

Description

Fixed the dangerous workflow

Warn: script injection with untrusted input ' github.event.pull_request.title ': .github/workflows/commitlint.yml:28

https://securityscorecards.dev/viewer/?uri=github.com/defenseunicorns/pepr https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Related Issue

Fixes #

Relates to #

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@naveensrinivasan naveensrinivasan changed the title Fixed the dangerous workflow :chore: fixed the dangerous workflow Feb 19, 2024
@UncleGedd
Copy link
Collaborator

Thanks for this @naveensrinivasan ! I think a few of repos also have this vulnerability. I'm going to update the title (just need to remove that first colon) and rerun the e2e tests

@UncleGedd UncleGedd changed the title :chore: fixed the dangerous workflow chore: fixed the dangerous workflow Feb 20, 2024
@UncleGedd
Copy link
Collaborator

And our permissions seem to be jacked
Screenshot 2024-02-20 at 9 20 46 AM

No issue with this PR though, I'll address the permissions issue internally

@zachariahmiller
Copy link
Contributor

FYSA @Racer159 has an open PR to add commitlint check as a reusable workflow at which point you can just call it from uds-common defenseunicorns/uds-common#44

@UncleGedd
Copy link
Collaborator

FYSA @Racer159 has an open PR to add commitlint check as a reusable workflow at which point you can just call it from uds-common defenseunicorns/uds-common#44

Thanks @zachariahmiller , we'll go with the common workflow

@naveensrinivasan
Copy link
Member Author

#465

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UncleGedd UncleGedd Awaiting requested review from UncleGedd UncleGedd is a code owner

@jeff-mccoy jeff-mccoy Awaiting requested review from jeff-mccoy jeff-mccoy is a code owner

@decleaver decleaver Awaiting requested review from decleaver decleaver is a code owner

@mjnagel mjnagel Awaiting requested review from mjnagel mjnagel is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@naveensrinivasan @UncleGedd @zachariahmiller