From 98d312fda1b9c7aa9cfcf3e4b6446279d9077272 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20St=C3=B6ckli?= Date: Mon, 11 Aug 2025 09:56:53 +0000 Subject: [PATCH] Actions: clarify doc for untrusted checkout --- actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md | 4 ++-- actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md | 4 ++-- actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md index 50e81cc240c..de3307550ad 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -1,6 +1,6 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job. ## Recommendation @@ -32,7 +32,7 @@ jobs: - uses: actions/setup-node@v1 - run: | - npm install + npm install # scripts in package.json from PR would be executed here npm build - uses: completely/fakeaction@v2 diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md index 50e81cc240c..de3307550ad 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -1,6 +1,6 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job. ## Recommendation @@ -32,7 +32,7 @@ jobs: - uses: actions/setup-node@v1 - run: | - npm install + npm install # scripts in package.json from PR would be executed here npm build - uses: completely/fakeaction@v2 diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md index 50e81cc240c..de3307550ad 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -1,6 +1,6 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job. ## Recommendation @@ -32,7 +32,7 @@ jobs: - uses: actions/setup-node@v1 - run: | - npm install + npm install # scripts in package.json from PR would be executed here npm build - uses: completely/fakeaction@v2