github action: allow detect merge conflicts to fail #13465
Conversation
|
This pull request introduces a workflow that uses pull_request_target (which runs with elevated base-repo privileges and access to secrets) and also sets continue-on-error: true for the step running eps1lon/actions-label-merge-conflict, meaning a malicious forked PR could exploit the elevated context or an action vulnerability and any failure or exploitation attempts would be masked and may go unnoticed. While no concrete vulnerability in the specific action version was found, this combination increases risk and reduces visibility into potential attacks.
Masked Exploitation in pull_request_target Workflow in
|
| Vulnerability | Masked Exploitation in pull_request_target Workflow |
|---|---|
| Description | The workflow uses pull_request_target, which executes in the context of the base repository with elevated permissions and access to secrets, but can be triggered by untrusted code from a forked pull request. While no direct vulnerabilities were found in the specific version of the eps1lon/actions-label-merge-conflict action, the general risk of pull_request_target is that a malicious pull request could attempt to exploit a vulnerability in the action itself or in how it processes untrusted input (e.g., PR titles, labels). The continue-on-error: true setting on this step would mask any such exploitation attempts, allowing them to fail silently and potentially go unnoticed, thus hindering detection and response. |
django-DefectDojo/.github/workflows/detect-merge-conflicts.yaml
Lines 20 to 23 in de73f18
All finding details can be found in the DryRun Security Dashboard.
5 participants
The detect merge conflicts action is failing a lot or almost every time. I suggest we ignore these errors and allow PRs to be merged with a green state.