search

1Password / connect-sdk-python

Python SDK for 1Password Connect
https://developer.1password.com/docs/connect
MIT License
200 stars 31 forks source link

Address injection vector in GitHub Action #43

Closed DCKcode closed 2 years ago

DCKcode commented 2 years ago

A Bugcrowd researcher submitted a report that our workflow didn't properly sanitize the Git ref name in its workflow. Since a contributor to this code can set e.g. their branch name arbitrarily, this could be used to inject commands here.

While the impact is mitigated by the fact that Actions need approval before running, and it should be stated we haven't seen any attempts here, this is still an important oversight. This PR addresses that.

codecov-commenter commented 2 years ago

Codecov Report

Merging #43 (188dcfa) into main (22e75d2) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main      #43   +/-   ##
=======================================
  Coverage   76.22%   76.22%           
=======================================
  Files          21       21           
  Lines        1607     1607           
=======================================
  Hits         1225     1225           
  Misses        382      382

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 22e75d2...188dcfa. Read the comment docs.