Python
/
ruff
mirror of https://github.com/astral-sh/ruff
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Guard against malicious ecosystem comment artifacts (#11879)

This commit is contained in:
Zanie Blue 2024-06-14 13:11:25 -04:00 committed by GitHub
parent 4f49e918a9
commit 2d6d85e993
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/pr-comment.yaml vendored
View File

@ -48,6 +48,14 @@ jobs:
id: generate-comment id: generate-comment
if: steps.download-ecosystem-result.outputs.found_artifact == 'true' if: steps.download-ecosystem-result.outputs.found_artifact == 'true'
run: | run: |
// Guard against malicious ecosystem results that symlink to a secret
// file on this runner
if [[ -L pr/ecosystem/ecosystem-result ]]
then
echo "Error: ecosystem-result cannot be a symlink"
exit 1
fi
# Note this identifier is used to find the comment to update on # Note this identifier is used to find the comment to update on
# subsequent runs # subsequent runs
echo '<!-- generated-comment ecosystem -->' >> comment.txt echo '<!-- generated-comment ecosystem -->' >> comment.txt