From 3a86687ae7208dd5e03bc1bad2a832238cd2200b Mon Sep 17 00:00:00 2001 From: Auguste Rame <19855629+SuperAuguste@users.noreply.github.com> Date: Sun, 22 Jan 2023 14:54:38 -0500 Subject: [PATCH] Fix secrets access in foreign PRs (#934) --- .github/workflows/fuzz.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index cd532a0..dea1026 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -1,7 +1,13 @@ name: Sus Fuzzing on: - pull_request: + # pull_request_target can be dangerous but necessary here to access secrets. + # I'm pretty comfortable using it because: + # - We limit all permissions (including GITHUB_TOKEN) to read-only + # - We limit runs to labelled PRs only which prevents random exploitation + # - We don't expose secrets in environment variables which makes exploitation much more difficult + # - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space) + pull_request_target: types: [labeled, synchronize] push: paths: @@ -17,6 +23,8 @@ on: description: How long should fuzzing last? (sleep time argument) default: 15m +permissions: read-all + jobs: fuzz: if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz')