Unclear why tagging is necessary in twiddledum solution

cider-security-research / cicd-goat

A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

Apache License 2.0

1.93k stars 320 forks source link

Unclear why tagging is necessary in twiddledum solution #59

Closed jasonculligan closed 9 months ago

jasonculligan commented 1 year ago

https://github.com/cider-security-research/cicd-goat/blame/01cd2a4b317fb5d2327435f432c691162a136c73/solutions/twiddledum.md#L11

Reading the solution for twiddledum, it doesn't explain why tagging is necessary for the exploit to work. The requirement to tag should be made more clear.

kairat1115 commented 1 year ago

Hi @jasonculligan, that is how package.json references to dependency with git url https://docs.npmjs.com/cli/v9/configuring-npm/package-json#git-urls-as-dependencies

If the commit-ish has the format #semver:, can be any valid semver range or exact version, and npm will look for any tags or refs matching that range in the remote repository, much as it would for a registry dependency

TupleType commented 1 year ago

Hey @jasonculligan, Great point, could you create a PR with the proposed changes?