mirror of
https://github.com/shaka-project/shaka-packager.git
synced 2026-04-02 11:20:08 +00:00
774cd3f1bc
Some checks are pending
Release / release (push) Blocked by required conditions
Release / Settings (push) Waiting to run
Release / Compute latest release flag (push) Blocked by required conditions
Release / Update docs (push) Blocked by required conditions
Release / Update docker image (push) Blocked by required conditions
Release / Build (push) Blocked by required conditions
Release / Artifacts (push) Blocked by required conditions
Release / Update NPM (push) Blocked by required conditions
Because we used require() to read build-matrix.json, the file could be replaced with build-matrix.json.js, allowing code injection into our CI pipelines. This fixes this vulnerability by reading the JSON text with the fs module, then explicitly parsing it, rather than relying on require(). This also changes the location of the file, to match its location in other projects. Note that this workflow is not currently giving any elevated permissions to users, so it is not currently possible to damage the repo through a PR. But this might have been possible in the past, due to organization-wide defaults for token permissions (recently fixed). No evidence has been found of past exploit. See also https://github.com/shaka-project/shaka-streamer/issues/216 and https://github.com/shaka-project/static-ffmpeg-binaries/issues/57