Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: GitHub workflow script injection #1936

Merged
merged 3 commits into from
Nov 19, 2024
Merged

Conversation

joycebrum
Copy link
Contributor

Hi! I'm Joyce from Google's Open Source Security Team(GOSST) and I'm reopening the suggestion I've made on #1920, a small fix to prevent from script injection attacks through the GitHub workflows.

You can see further explanation about this kind of threat in this blogpost Keeping your GitHub Actions and workflows secure Part 2: Untrusted input.

Changes
Parse both github.head_ref and github.event.pull_request.head.ref to envvars to prevent potential script injection.
Any questions, let me know!

(sorry I closed the previous PR, I wanted to check the CLA signing first, but now I'm all set!)

Signed-off-by: Joyce Brum <joycebrum@google.com>
@joycebrum joycebrum requested a review from a team as a code owner November 18, 2024 14:17
Copy link

github-actions bot commented Nov 18, 2024

MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅

@mrasquinha-g mrasquinha-g merged commit b2b346c into mlcommons:master Nov 19, 2024
18 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Nov 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants