• minfapper@piefed.social
    link
    fedilink
    English
    arrow-up
    24
    ·
    17 hours ago

    The core of the problem trickles down to weak CI/CD configurations that grant pull requests (PRs) more permissions than they should have.

    How exactly do their competitors like codeberg do better in preventing that?

    • A_norny_mousse@piefed.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 hours ago

      I’m no expert in this but I’m guessing GH’s higher tiers provide much more “actions” and whatnot than Codeberg does. AFAICS Gitlab might be the only alternative that even has the mechanisms that could be exploited.

      But executing code in a comment, that’s harsh in any case. I mean, even I would’ve known how to prevent that right from the start. I think.

      • minfapper@piefed.social
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 hours ago

        By default pull requests my new contributors require approval from someone with write-access to the repo before running actions.

        These repos have specifically decided to change a setting to make them not require approval for anyone. The UI to change that setting explicitly warns you about exactly this attack, so this “article” feels like a non-item trying to farm engagement.

      • real_username56@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 hours ago

        As far as I can tell it requires GitHub actions to be enabled for pull requests, which you can require approval for. I just quickly read the top of the article so I could be wrong

  • A_norny_mousse@piefed.zip
    link
    fedilink
    English
    arrow-up
    9
    ·
    22 hours ago

    That sounds big & creepy:

    On Microsoft’s Azure Sentinel, for example, Novee found a comment on a PR that could run anonymous attacker code on Microsoft’s CI and steal a non-expiring GitHub App key.

    I wonder if/how alternative VCS platforms that provide similar workflow services are affected.