mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 17:23:22 +00:00
Check if PR is from a fork before dismissing runs. (#9300)
This commit is contained in:
parent
e854a82c1c
commit
9b5fd64431
16
.github/workflows/robot/internal/bot/dismiss.go
vendored
16
.github/workflows/robot/internal/bot/dismiss.go
vendored
|
@ -42,11 +42,17 @@ func (b *Bot) Dimiss(ctx context.Context) error {
|
|||
}
|
||||
|
||||
for _, pull := range pulls {
|
||||
// HEAD could be controlled by an attacker, however, all this would allow is
|
||||
// the attacker to dismiss a workflow run.
|
||||
if err := b.dismiss(ctx, b.c.Environment.Organization, b.c.Environment.Repository, pull.UnsafeHead); err != nil {
|
||||
log.Printf("Failed to dismiss workflow: %v %v %v: %v.", b.c.Environment.Organization, b.c.Environment.Repository, pull.UnsafeHead, err)
|
||||
continue
|
||||
// Only dismiss stale runs from forks (external) as the workflow that triggers
|
||||
// this method is intended for. Dismissing runs for internal contributors
|
||||
// (non-fork) here could result in a race condition as runs are deleted upon
|
||||
// trigger separately during the `Check` workflow.
|
||||
if pull.Fork {
|
||||
// HEAD could be controlled by an attacker, however, all this would allow is
|
||||
// the attacker to dismiss a workflow run.
|
||||
if err := b.dismiss(ctx, b.c.Environment.Organization, b.c.Environment.Repository, pull.UnsafeHead); err != nil {
|
||||
log.Printf("Failed to dismiss workflow: %v %v %v: %v.", b.c.Environment.Organization, b.c.Environment.Repository, pull.UnsafeHead, err)
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -145,6 +145,8 @@ type PullRequest struct {
|
|||
// UnsafeHead is the name of the branch this PR is created from. It is marked
|
||||
// unsafe as it can be attacker controlled.
|
||||
UnsafeHead string
|
||||
// Fork determines if the pull request is from a fork.
|
||||
Fork bool
|
||||
}
|
||||
|
||||
func (c *client) ListPullRequests(ctx context.Context, organization string, repository string, state string) ([]PullRequest, error) {
|
||||
|
@ -171,6 +173,7 @@ func (c *client) ListPullRequests(ctx context.Context, organization string, repo
|
|||
Author: pr.GetUser().GetLogin(),
|
||||
Repository: repository,
|
||||
UnsafeHead: pr.GetHead().GetRef(),
|
||||
Fork: pr.GetBase().GetRepo().GetFork(),
|
||||
})
|
||||
}
|
||||
if resp.NextPage == 0 {
|
||||
|
|
Loading…
Reference in a new issue