alteropen/streamyfin
1
0
Fork 0
mirror of https://github.com/streamyfin/streamyfin.git synced 2026-06-02 03:58:36 +01:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

fix(pr-validation): run under pull_request_target + drop DoS-prone comment loop

Browse Source 
Security audit fixes:
- The jobs gated on github.event_name == 'pull_request' but the trigger is
  pull_request_target, so they never ran (validation was silently disabled).
  Gate on 'pull_request_target'.
- Replace the loop-until-stable HTML-comment strip with a single linear pass
  (+ trailing-unterminated strip): still leaves no <!-- (CodeQL-clean) but
  removes the quadratic re-scan a crafted nested-comment body could abuse.
This commit is contained in:
Gauvino
2026-06-01 20:14:24 +02:00
parent 3de9b65b7d
commit 5f59dce0c7
2 changed files with 11 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/pr-validation.yml vendored
View File

@@ -17,7 +17,7 @@ concurrency:
jobs:
validate_pr_title:
name: "📝 Validate PR Title"
if: github.event_name == 'pull_request'
if: github.event_name == 'pull_request_target'
runs-on: ubuntu-24.04
permissions:
pull-requests: write
@@ -51,7 +51,7 @@ jobs:
name: "📋 Validate PR Template"
# Skip pushes to an existing PR (the body rarely changes) and bot-authored PRs.
if: >-
github.event_name == 'pull_request' &&
github.event_name == 'pull_request_target' &&
github.event.action != 'synchronize' &&
github.actor != 'renovate[bot]' &&
github.actor != 'github-actions[bot]'