vrr/eigent
2
0
Fork 0
mirror of https://github.com/eigent-ai/eigent.git synced 2026-05-05 23:41:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
eigent/.github/workflows/lint-markdown.yml
Cole Murray 102a864d43 fix(security): prevent arbitrary code execution in CI workflow 
SECURITY FIX: The previous CI workflow was vulnerable to arbitrary code
execution from fork PRs due to using `pull_request_target` with checkout
of untrusted PR code.

Attack vector:
- Attacker forks repo and adds malicious node_modules/.bin/markdownlint-cli
- Opens PR to trigger CI workflow
- npx executes attacker's script with repository write permissions
- Attacker can exfiltrate credentials, comment on PRs, or push code

Fix:
- Split workflow into two separate files
- ci.yml: Uses pull_request_target for commenting (no code checkout)
- lint-markdown.yml: Uses pull_request for linting (safe to checkout)

The pull_request trigger runs fork PRs with read-only permissions and
no access to repository secrets, making it safe to checkout and execute
PR code.

Additional improvements:
- Updated actions to latest versions (checkout@v4, github-script@v7, paths-filter@v3)
- Pin markdownlint-cli version to prevent supply chain attacks
- Added security comments explaining the rationale

Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
2026-01-12 23:10:48 -08:00

36 lines
928 B
YAML
Raw Blame History

name: Lint Markdown
# SECURITY: Use pull_request (not pull_request_target) for workflows that
# checkout and execute code from PRs. This ensures fork PRs run with
# read-only permissions and no access to repository secrets.
#
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
on:
pull_request:
branches:
- main
paths:
- '**.md'
permissions:
contents: read
jobs:
lint:
name: Lint Markdown
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Get changed markdown files
id: changed-files
uses: tj-actions/changed-files@v45
with:
files: |
**.md
- name: Lint markdown
if: steps.changed-files.outputs.any_changed == 'true'
run: npx markdownlint-cli@0.43.0 ${{ steps.changed-files.outputs.all_changed_files }} --ignore node_modules
Reference in a new issue View git blame Copy permalink