iotivity-lite icon indicating copy to clipboard operation
iotivity-lite copied to clipboard
verified publisher icon iotivity

Update workflows for forks

Open Danielius1922 opened this issue 3 years ago • 5 comments

Danielius1922 avatar Aug 26 '22 17:08 Danielius1922

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

sonarqubecloud[bot] avatar Aug 26 '22 17:08 sonarqubecloud[bot]

@ondrejtomcik Is it ok to run CTT tool for PR from the fork?

jkralik avatar Aug 26 '22 18:08 jkralik

@ondrejtomcik Is it ok to run CTT tool for PR from the fork?

No. This is a security issue, as whoever could be able to execute code on OCF VM or make a mess with many runs.

ondrejtomcik avatar Aug 26 '22 19:08 ondrejtomcik

@ondrejtomcik Is it ok to run CTT tool for PR from the fork?

ctt-bot.yml isn't the job that runs CTT tool. The workflow posts a comment when PR is opened or removes the "CTT conformance testing" label when a PR is updated. Using pull_request_target for these actions is OK. It's expected not to do anything sensitive in a "pull_request_target" job, but I can add a warning at the beginning of the file just to be sure.

No. This is a security issue, as whoever could be able to execute code on OCF VM or make a mess with many runs.

Wouldn't it be possible to make it work like other jobs for PRs from forks? That is they run only a maintainer clicks on "Aprove and Run" button. I wouldn't want to merge a PR from a fork without knowing the result of a CTT tool run. Giving everyone write permissions or manually migrating the PR to repository myself seem like worse options than making it (securely) work for PRs from a fork.

Danielius1922 avatar Aug 27 '22 10:08 Danielius1922

@ondrejtomcik Is it ok to run CTT tool for PR from the fork?

ctt-bot.yml isn't the job that runs CTT tool. The workflow posts a comment when PR is opened or removes the "CTT conformance testing" label when a PR is updated. Using pull_request_target for these actions is OK. It's expected not to do anything sensitive in a "pull_request_target" job, but I can add a warning at the beginning of the file just to be sure.

No. This is a security issue, as whoever could be able to execute code on OCF VM or make a mess with many runs.

Wouldn't it be possible to make it work like other jobs for PRs from forks? That is they run only a maintainer clicks on "Aprove and Run" button. I wouldn't want to merge a PR from a fork without knowing the result of a CTT tool run. Giving everyone write permissions or manually migrating the PR to repository myself seem like worse options than making it (securely) work for PRs from a fork.

Once you enabled the remote execution of scripts on that PC - in Powershell. If you disable it, should be okay. Only that one, which is there, triggering CTT can be executed. Otherwise whoever can in his fork add his own script and start mining through your PC :)

ondrejtomcik avatar Sep 02 '22 09:09 ondrejtomcik