SShortSingh.
Back to feed

Developer finds own security scanner missed half a critical CI vulnerability pattern

0
·1 views

A developer maintaining mcpscan, an open-source static security scanner for GitHub Actions workflows, discovered that a newly shipped rule in version 0.14.0 only detected one of two known attack paths for a common CI vulnerability. The flaw involves workflow_run triggers, which always execute with full repository token privileges regardless of whether the originating workflow was launched by an untrusted fork pull request. Two distinct attack shapes exist: one where a workflow checks out attacker-controlled code via a commit hash, and another where it downloads and executes a build artifact produced by the untrusted run. The original rule only flagged artifact reuse cases and only when no permissions block was present, creating blind spots for direct checkout abuse and loosely scoped but still dangerous token configurations. The developer has since revised the rule to treat both attack shapes as independently reportable, decoupling the permissions check from the artifact reuse detection.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

DEV Tutorial Shows How to Build Async Web Forms Without Page Reloads

A tutorial published on DEV Community walks developers through building form submission workflows that avoid full-page reloads using JavaScript's native Fetch API and async/await syntax. The guide explains how traditional synchronous form submissions block the main thread, reset client-side state, and degrade user experience on slow mobile connections. The demonstrated implementation disables the submit button during the network request to prevent double-submissions and provides real-time feedback based on server response. Error handling is built in at both the HTTP status and network levels, with the UI reliably reset in a finally block regardless of outcome. The tutorial positions this async approach as a production-ready pattern capable of delivering sub-200ms perceived response times.

0
ProgrammingDEV Community ·

Developer Fixes Silent Regex Bug in Formbricks That Crashed Live Surveys

A contributor discovered a runtime bug in Formbricks, an open-source survey platform with over 12,000 GitHub stars, where invalid regex patterns entered by survey creators were accepted without validation. The flaw existed because the schema only checked that the pattern field was a non-empty string, without verifying it was a legitimate regular expression. This meant a malformed pattern like '[invalid' could be saved to the database and only cause a JavaScript SyntaxError when a real user attempted to submit a response, silently crashing the survey. The fix adds two helper functions that wrap RegExp construction in try/catch blocks, rejecting invalid patterns and flags at the schema level before they reach the database. Placing the validation at the schema layer ensures malformed inputs are blocked even if submitted directly via the API, bypassing any frontend checks.

0
ProgrammingHacker News ·

Developer builds canvas-based note app separating short and long-form notes

A developer has launched a canvas-based note-taking and organizer app after an extended period of solo development. The app distinguishes between sticky notes for quick thoughts and A4-style notes for longer documents, displayed on a visual canvas rather than in a linear list. It includes a quick-access mode using local storage for fast note capture and a PDF export feature offering three custom layout styles. File organization is handled visually through a hierarchy of notes, stacks, and labels that mirrors a traditional folder structure. The developer has shared the project on Hacker News seeking community feedback to help guide further development.

0
ProgrammingDEV Community ·

How a Developer Fixed Soft 404 and Duplicate Page Errors in Google Search Console

A developer discovered that member profile pages on their site were flagged by Google Search Console as Soft 404 and Duplicate without user-selected canonical errors, three weeks after publishing a dynamic sitemap. The root cause was that public anonymous profiles were intentionally minimal, hiding personal information from logged-out visitors, making them appear empty or near-identical to Google's crawler. Rather than enriching the pages — which was not permitted by design — the fix involved adding a noindex,follow meta tag and removing the URLs from the sitemap. The developer also noted that most Search Console coverage warnings, such as redirects, crawl budget decisions, and intentional 403 blocks, are benign by design and require no action. The key takeaway is that pages deliberately lacking content for anonymous visitors have no place in a search index built for those same users.

Developer finds own security scanner missed half a critical CI vulnerability pattern · ShortSingh