False positive on github.event.pull_request.base.sha?

TinderSec / gh-workflow-auditor

Script to audit GitHub Action Workflow files for potential vulnerabilities.

Other

148 stars 18 forks source link

False positive on github.event.pull_request.base.sha? #4

Closed christophetd closed 2 years ago

christophetd commented 2 years ago

github.event.pull_request.base.sha sounds like it triggers a hit but cannot be controlled arbitrarily

christophetd commented 2 years ago

same for github.event.pull_request.number

christophetd commented 2 years ago

Read too fast the blog post.

christophetd commented 2 years ago

No, actually it seems it holds. I think such a configuration is not vulnerable as it checks out the base branch (not the PR code):

      - name: Checkout repository
        uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.base.sha }}

tinder-rojan commented 2 years ago

Hi @christophetd, Thank you for reporting this! I missed this when creating the regexes for the scanner. I have fixed it now. The fix should now only check for cases of github.pull_request.head. and github.event.pull_request.head.. Closing the issue now :)