Closed christophetd closed 2 years ago
same for github.event.pull_request.number
Read too fast the blog post.
No, actually it seems it holds. I think such a configuration is not vulnerable as it checks out the base branch (not the PR code):
- name: Checkout repository
uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.base.sha }}
Hi @christophetd, Thank you for reporting this! I missed this when creating the regexes for the scanner. I have fixed it now. The fix should now only check for cases of github.pull_request.head. and github.event.pull_request.head.. Closing the issue now :)
github.event.pull_request.base.sha sounds like it triggers a hit but cannot be controlled arbitrarily