Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dangerous use of pull_request_target #3945

Closed
2 tasks
joycebrum opened this issue Feb 14, 2023 · 1 comment · Fixed by #3969
Closed
2 tasks

Dangerous use of pull_request_target #3945

joycebrum opened this issue Feb 14, 2023 · 1 comment · Fixed by #3969
Labels
kind: bug security vulnerability Security vulnerability detected by WhiteSource solution: proposed fix a fix for the issue has been proposed and waits for confirmation

Comments

@joycebrum
Copy link
Contributor

joycebrum commented Feb 14, 2023

Description

Hi, I am Joyce working on behalf of Google and the OpenSSF.

The project has one workflow with dangerous or risky behavior (identified by using the Scorecard tool), which is the https://github.com/nlohmann/json/blob/develop/.github/workflows/check_amalgamation.yml.

The pull_request_target should not be used with a checkout as can be seen in the following warning from the Github Documentation Page:

image

Reproduction steps

None

Expected vs. actual results

Analysing the workflow and looking at the more secure alternatives, I could think in two approaches:

Use pull_request

Instead of using pull_request_target, we could use the pull_request which would change the current behavior in two ways:

  • The verifications would be done in a "merge commit"
  • The workflow would not be granted the read-all and write-all permission that make it dangerous.
  • EDIT: Create a workflow with a workflow_run trigger in another workflow to add the comment

Use label verification

We can use a type: [labeled] and a condition of if: ${{ github.event.label.name == 'is ok to test' }} to check for a label "is ok to test" for example, that you would manually add once you saw that nothing potentially dangerous would be running.

That's the two solutions I though, but let me know if you know another one we can explore. I can open a PR with any solution we agree on this issue.

Minimal code example

No response

Error messages

No response

Compiler and operating system

None

Library version

None

Validation

@nlohmann nlohmann added the state: help needed the issue needs help to proceed label Mar 5, 2023
@nlohmann
Copy link
Owner

nlohmann commented Mar 5, 2023

Any help is appreciated here!

@nlohmann nlohmann added solution: proposed fix a fix for the issue has been proposed and waits for confirmation security vulnerability Security vulnerability detected by WhiteSource and removed state: help needed the issue needs help to proceed labels Mar 8, 2023
@nlohmann nlohmann added this to the Release 3.11.3 milestone Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind: bug security vulnerability Security vulnerability detected by WhiteSource solution: proposed fix a fix for the issue has been proposed and waits for confirmation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants