Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: GitHub workflow script injection #86

Merged
merged 1 commit into from
Nov 13, 2024
Merged

Fix: GitHub workflow script injection #86

merged 1 commit into from
Nov 13, 2024

Conversation

joycebrum
Copy link
Contributor

Hi! I'm Joyce from Google's Open Source Security Team(GOSST) and I'm here to suggest this small fix to prevent from script injection attacks through your GitHub workflows.

You can see further explanation about this kind of threat in this blogpost Keeping your GitHub Actions and workflows secure Part 2: Untrusted input.

Any questions, let me know!

Summary of changes

  • parse github.head_ref to an envvar to prevent from potential script injection.

PR checklist for schema changes

Not changing any schemas

  • Update the version string in docs/source/conf.py and common/namespace.yaml to the next version with the suffix "-alpha"
  • Add a new section in the release notes for the new version with the date "Upcoming"
  • Add release notes for the PR to docs/source/hdmf_common_release_notes.rst and/or
    docs/source/hdmf_experimental_release_notes.rst

Signed-off-by: Joyce Brum <joycebrum@google.com>
@rly
Copy link
Contributor

rly commented Nov 13, 2024

Thank you @joycebrum . The fix looks good to me.

@rly rly merged commit b33c8f8 into hdmf-dev:main Nov 13, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants