leoafarias / fvm

Flutter Version Management: A simple CLI to manage Flutter SDK versions.
https://fvm.app
MIT License
4.69k stars 229 forks source link

[BUG] DO NOT use short hash for commit versions (DOS attack) #783

Open Leptopoda opened 1 month ago

Leptopoda commented 1 month ago

Before creating a bug report please make check the following

Describe the bug Using a commit version of flutter will specify the short hash in the .fvmrc (and vscode config) files. This can easily be DOSed as commit hashes are shared between forks of the repo. You can read more about it in: https://blog.teddykatz.com/2019/11/12/github-actions-dos.html

To Reproduce run fvm use 6d04a162109d07876230709adf4013db113b16a3 see the content of .fvmrc

{
  "flutter": "6d04a16210"
}

Expected behavior The full commit hash is used in the config file. Also when just the short commit was specified in the first place

Logs N.A.

Desktop (please complete the following information): N.A.

Additional context Short hashes should only ever be used to display a nice version to the user. Never to refer to any particular commit (especially on GitHub).

leoafarias commented 1 week ago

@Leptopoda, thank you for opening this issue. Do you think you would be able to create a PR addressing this? I believe this should be fairly straightforward, but I am still trying to catch up on the issues and PRs in fvm.

Leptopoda commented 1 week ago

I'm fairly caught up in work myself, so don't count on me. I'll take a shot at it once I have more time.