-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying commit_id
#217
Comments
eriksw
added a commit
to retailnext/pproxy
that referenced
this issue
Jun 13, 2023
* Use a separate app for approving the PR Use curl for now: hmarr/auto-approve-action#217 * Generate a nice commit message showing the changes * Fix broken references to outputs * Set PR title, author, message correctly * Signed-off-by: Erik Swanson <erik@retailnext.net>
eriksw
added a commit
to retailnext/pproxy
that referenced
this issue
Jun 13, 2023
* Use a separate app for approving the PR Use curl for now: hmarr/auto-approve-action#217 * Generate a nice commit message showing the changes * Fix broken references to outputs * Set PR title, author, message correctly * Use environment-scoped secrets Signed-off-by: Erik Swanson <erik@retailnext.net>
eriksw
added a commit
to retailnext/pproxy
that referenced
this issue
Jun 13, 2023
* Use a separate app for approving the PR Use curl for now: hmarr/auto-approve-action#217 * Generate a nice commit message showing the changes * Fix broken references to outputs * Set PR title, author, message correctly * Use environment-scoped secrets Signed-off-by: Erik Swanson <erik@retailnext.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use of this action in its current form (and examples) puts users at risk of a race condition variant of pull request hijacking.
The way such an attack would work is this: As a user who has write access to a repo but is NOT supposed to be able to merge code on my own, I wait until an automated workflow creates a PR that will be auto-approved by this action. If I can push my own malicious commit onto the PR branch in the moment between when the PR is created and this action is run to approve the PR, the malicious commit will be approved.
Fortunately, there is a straightforward way to fix this! If you allow specifying the commit_id to be approved, even if a malicious commit is pushed onto the branch before the approval action fires, the approval won't allow merging the malicious commit because the approval will be non-current.
It would be used in a workflow like this:
The text was updated successfully, but these errors were encountered: