774cd3f1bc
Because we used require() to read build-matrix.json, the file could be replaced with build-matrix.json.js, allowing code injection into our CI pipelines. This fixes this vulnerability by reading the JSON text with the fs module, then explicitly parsing it, rather than relying on require(). This also changes the location of the file, to match its location in other projects. Note that this workflow is not currently giving any elevated permissions to users, so it is not currently possible to damage the repo through a PR. But this might have been possible in the past, due to organization-wide defaults for token permissions (recently fixed). No evidence has been found of past exploit. See also https://github.com/shaka-project/shaka-streamer/issues/216 and https://github.com/shaka-project/static-ffmpeg-binaries/issues/57 |
||
|---|---|---|
| .. | ||
| workflows | ||
| ISSUE_TEMPLATE.md | ||