From 2d6d85e99364ab19082d5735829b6ce9d5b01c07 Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Fri, 14 Jun 2024 13:11:25 -0400
Subject: [PATCH] Guard against malicious ecosystem comment artifacts (#11879)

---
 .github/workflows/pr-comment.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml
index 5fbace0251..97b6ba7026 100644
--- a/.github/workflows/pr-comment.yaml
+++ b/.github/workflows/pr-comment.yaml
@@ -48,6 +48,14 @@ jobs:
         id: generate-comment
         if: steps.download-ecosystem-result.outputs.found_artifact == 'true'
         run: |
+          // Guard against malicious ecosystem results that symlink to a secret
+          // file on this runner
+          if [[ -L pr/ecosystem/ecosystem-result ]]
+          then
+              echo "Error: ecosystem-result cannot be a symlink"
+              exit 1
+          fi
+
           # Note this identifier is used to find the comment to update on
           # subsequent runs
           echo '<!-- generated-comment ecosystem -->' >> comment.txt