metamask / action-require-additional-reviewer Goto Github PK

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

In order to support private repositories, this action needs a second access token with the repo scope passed to any gh api call that hits a /repos/ endpoint. We don't need to add this until we do, because I think we are unlikely to use this action in private repositories. If I'm wrong, the solution is now documented.

#37 attempted to fix this action updating the commit status when in the context of a PR from a fork. #42 reverted this, as the implementation did not work.

We can still fix this action for PRs from forks, by using the pull_request_target even trigger, which runs the workflow in the context of the base repository. However, as discussed in #42, it's not safe to check out untrusted PRs, so we have to either:

1. Split the expected consumer workflows into two, one using pull_request_target and the other using some trigger that runs the workflow in the context of the PR's repository.
2. Figure out how to fetch the git history we need without "fully" checking out the PR branch.

It'd be best if we could pursue option 2, as that would be the least disruptive. GitHub security article here for reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/