fix: prevent RCE via pull_request_target in maven-pr-builder.yml#3500
fix: prevent RCE via pull_request_target in maven-pr-builder.yml#3500prashantpiyush1111 wants to merge 1 commit into
Conversation
PR SummaryFixes #3478 Added a job-level Changes
autogenerated by presubmit.ai |
There was a problem hiding this comment.
🚨 Pull request needs attention.
Review Summary
Commits Considered (1)
- 5a8229d: fix: prevent RCE via pull_request_target in maven-pr-builder.yml
Files Processed (1)
- .github/workflows/maven-pr-builder.yml (1 hunk)
Actionable Comments (1)
-
.github/workflows/maven-pr-builder.yml [16-16]
security: "Restrict workflow to in-repo PRs"
Skipped Comments (0)
|
|
||
| name: Build on JDK 21 | ||
| runs-on: ubuntu-22.04 | ||
| if: github.event.pull_request.head.repo.full_name == github.repository |
There was a problem hiding this comment.
This job-level guard prevents PRs from forks from running, which helps mitigate RCE risk when using write permissions in PR workflows. Ensure this aligns with all PR flow scenarios (e.g., pull_request_target vs pull_request) and consider adding a brief justification in the workflow header for future maintainers.
There was a problem hiding this comment.
Thanks for the suggestion! The if condition was added to prevent
fork PRs from running with write-scoped tokens, mitigating potential
RCE via pull_request_target. Will add a comment in the workflow if
maintainer requests it.
Fixes #3478
Added a job-level
ifcondition to restrict workflow executionto PRs from the same repository only, preventing potential RCE
via fork PRs with write-scoped tokens.