nlohmann / json

JSON for Modern C++
https://json.nlohmann.me
MIT License
42.97k stars 6.72k forks source link

Dangerous use of pull_request_target #3945

Closed joycebrum closed 1 year ago

joycebrum commented 1 year ago

Description

Hi, I am Joyce working on behalf of Google and the OpenSSF.

The project has one workflow with dangerous or risky behavior (identified by using the Scorecard tool), which is the https://github.com/nlohmann/json/blob/develop/.github/workflows/check_amalgamation.yml.

The pull_request_target should not be used with a checkout as can be seen in the following warning from the Github Documentation Page:

image

Reproduction steps

None

Expected vs. actual results

Analysing the workflow and looking at the more secure alternatives, I could think in two approaches:

Use pull_request

Instead of using pull_request_target, we could use the pull_request which would change the current behavior in two ways:

Use label verification

We can use a type: [labeled] and a condition of if: ${{ github.event.label.name == 'is ok to test' }} to check for a label "is ok to test" for example, that you would manually add once you saw that nothing potentially dangerous would be running.

That's the two solutions I though, but let me know if you know another one we can explore. I can open a PR with any solution we agree on this issue.

Minimal code example

No response

Error messages

No response

Compiler and operating system

None

Library version

None

Validation

nlohmann commented 1 year ago

Any help is appreciated here!