Fix: GitHub Actions security issue with pull_request_target #5423
+2
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changed pull_request_target to pull_request in both lighthouse-ci.yml and pr-jest-tests.yml to prevent RCE attacks. This fixes issue sugarlabs#5421 where malicious PRs could execute code with write permissions. The workflows will now run PR code in a sandboxed environment without access to secrets or write permissions.
Contributor
|
✅ All Jest tests passed! This PR is ready to merge. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hey! I found and fixed the security vulnerability mentioned in #5421.
What was the problem?
The workflows were using pull_request_target which gives PRs write access to the repo. This is dangerous because if someone creates a malicious PR from a fork, they could run bad code through npm install scripts with elevated permissions.
What I changed
I replaced pull_request_target with pull_request in these two files:
.github/workflows/lighthouse-ci.yml
(line 4)
.github/workflows/pr-jest-tests.yml
(line 4)
How does this fix it?
Now when PRs run, they don't get write access or access to secrets. The code runs in a sandboxed environment so even if someone tries something malicious, it can't actually do anything to our repo.
Testing
I checked all the workflow files to make sure there's no more pull_request_target being used. The YAML syntax looks good too.
One thing to note - PR comments might not work for external contributors anymore, but I think that's worth it for the security improvement. Comments should still work fine for PRs from branches in this repo.
Closes #5421
Let me know if there's anything else I should change or if the workflows need any other adjustments!