Skip to content

fix: github workflow vulnerable to script injection #9008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 12, 2024
Merged

fix: github workflow vulnerable to script injection #9008

merged 1 commit into from
Aug 12, 2024

Conversation

@diogoteles08
Copy link
Contributor

@diogoteles08 diogoteles08 commented Aug 12, 2024

Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.

In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.

You can find more information about this on this github documentation or in this gitguardian blogpost.

Cheers!

ggerganov
ggerganov approved these changes Aug 12, 2024
View reviewed changes
Copy link
Member

@ggerganov ggerganov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the information

@ggerganov ggerganov merged commit fc4ca27 into ggml-org:master Aug 12, 2024
@github-actions github-actions bot added the devops improvements to build systems and github actions label Aug 12, 2024
arthw pushed a commit to arthw/llama.cpp that referenced this pull request Nov 15, 2024
@diogoteles08 @arthw
ci : fix github workflow vulnerable to script injection (ggml-org#9008)
fc9d556 
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
arthw pushed a commit to arthw/llama.cpp that referenced this pull request Nov 18, 2024
@diogoteles08 @arthw
ci : fix github workflow vulnerable to script injection (ggml-org#9008)
8d4f23b 
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggerganov ggerganov ggerganov approved these changes

Assignees

No one assigned

Labels

devops improvements to build systems and github actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@diogoteles08 @ggerganov