The folks at Synaktiv had a nice detailed blog post on this same vector last yea... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		woodruffw 6 months ago \| parent \| context \| favorite \| on: Weaponizing Dependabot: Pwn Request at its finest The folks at Synaktiv had a nice detailed blog post on this same vector last year[1]. The bottom line with these kinds of things is that virtually nobody should be using `pull_request_target`, even with “trusted” machine actors like Dependabot. It’s a pretty terrible footgun. [1]: https://www.synacktiv.com/en/publications/github-actions-exp...

gdubya 6 months ago [–]

Fixed link: https://www.synacktiv.com/en/publications/github-actions-exp...

woodruffw 6 months ago | [–]

Thanks, I've fixed my comment as well.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact