Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Handle untrusted input safely using env #2336

Merged
merged 3 commits into from
Jul 13, 2024
Merged

ci: Handle untrusted input safely using env #2336

merged 3 commits into from
Jul 13, 2024
+3 −1

Conversation

Yaminyam
Copy link
Member

@Yaminyam Yaminyam commented Jun 25, 2024
edited
Loading

https://securitylab.github.com/research/github-actions-untrusted-input/
Since the user's input is used as is in the actions, there is a possibility of inserting a script here or exploiting it, so this problem is solved.

Checklist: (if applicable)

  • Milestone metadata specifying the target backport version

@graphite-app Graphite App
Copy link

graphite-app bot commented Jun 25, 2024

Your org has enabled the Graphite merge queue for merging into main

Add the label “flow:merge-queue” to the PR and Graphite will automatically add it to the merge queue when it’s ready to merge. Or use the label “flow:hotfix” to add to the merge queue as a hot fix.

You must have a Graphite account and log in to Graphite in order to use the merge queue. Sign up using this link.

@Yaminyam Yaminyam requested a review from achimnol June 25, 2024 02:09
@github-actions github-actions bot added the size:XS ~10 LoC label Jun 25, 2024
@Yaminyam Yaminyam added skip:changelog Make the action workflow to skip towncrier check and removed size:XS ~10 LoC labels Jun 25, 2024
@Yaminyam Yaminyam added this to the 23.03 milestone Jun 25, 2024
@github-actions github-actions bot added the size:XS ~10 LoC label Jun 25, 2024
@achimnol achimnol added area:infrastructure Infrastructure-related issues type:refactor Refactor codes or add tests. labels Jul 13, 2024
@achimnol achimnol enabled auto-merge July 13, 2024 15:54
@achimnol achimnol added this pull request to the merge queue Jul 13, 2024
Merged via the queue into main with commit a7b7045 Jul 13, 2024
24 of 26 checks passed
@achimnol achimnol deleted the ci/security-env branch July 13, 2024 15:59
lablup-octodog pushed a commit that referenced this pull request Jul 13, 2024
@Yaminyam @achimnol
ci: Handle untrusted input safely using env (#2336)
edea073 
Co-authored-by: Joongi Kim <[email protected]>
Backported-from: main (24.09)
Backported-to: 24.03
Backport-of: 2336
@lablup-octodog lablup-octodog mentioned this pull request Jul 13, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 14, 2024
@lablup-octodog @Yaminyam @achimnol
ci: Handle untrusted input safely using env (#2336) (#2442)
3c7838b 
Co-authored-by: Sion Kang <[email protected]>
Co-authored-by: Joongi Kim <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achimnol achimnol achimnol approved these changes

Assignees

@Yaminyam Yaminyam

Labels
area:infrastructure Infrastructure-related issues size:XS ~10 LoC skip:changelog Make the action workflow to skip towncrier check type:refactor Refactor codes or add tests.
Projects
None yet
Milestone
23.03
Development

Successfully merging this pull request may close these issues.
2 participants
@Yaminyam @achimnol