Critical - Fix RCE exposure: restrict pull_request_target prettier workflow to same-repo PRs

[barakharyati]

🐸 🐸 JFrog Open Source Security Contribution 🐸 🐸

As part of JFrog’s ongoing Open Source Security initiative, this PR hardens the
prettier workflow by mitigating a remote-code-execution (RCE) risk caused by running npm install under a pull_request_target trigger.

🚨 Security Issue

The workflow is triggered using pull_request_target, which runs with the base repository’s permissions and secrets.

In its original form, the workflow executed:

npm install
npm run prettier

Because PR authors fully control package.json, including lifecycle scripts (preinstall, install, postinstall), a fork PR can embed arbitrary shell commands that run automatically during npm install.

By adding the following text to your Package JSON, an attacker can run RCE on your repository context.

  "scripts": {
    "preinstall": "echo ____RCE_Success >&2;git${IFS}config${IFS}--list>&2;printenv | cut -d= -f1 || true>&2",
    "prepare": "husky"
  }

The workflow also uses elevated permissions:

• contents: write
• pull-requests: write
• Access to secrets.GITHUB_TOKEN

Combined, this allows an attacker to execute arbitrary commands and achieve full repository takeover.

✅ What This PR Improves

This PR introduces a safety check to ensure the workflow only runs for PRs originating from the same repository:

if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}

This prevents untrusted fork PRs from executing npm install in a privileged context and removes the RCE attack vector.

📝 Important Recommendation

Please review the rest of your GitHub workflows for similar patterns.
Any workflow that:

• uses pull_request_target, and
• installs dependencies (npm install, pip install, etc.)
• runs repository scripts
• or executes shell commands based on PR-controlled values

should be restricted to trusted contributors only.

This is critical to reduce CI-based supply-chain exposure.

🧪 Proof of Concept

Working Attack can be found here.
https://github.com/doocs/leetcode/actions/runs/20007746692/job/57372562158?pr=4887#step:4:11
Full control of the PR and the repository

---

This PR is part of JFrog’s commitment to strengthening the security posture of the open-source ecosystem.

[idoocs]

🤭 感谢你的提交，请检查你的改动是否符合以下项目规范。

1. 格式化

我们项目中各种编程语言代码（包括文档）所采用的格式化工具不同，提交 pr 之前必须确保代码、文档正确格式化。

• .{md,js,ts,php,sql,rs} 采用 prettier
• .{c,cpp,java} 采用 clang-format
• .{py} 采用 black
• .{go} 采用 gofmt
• 其它待完善

2. Git 提交信息

我们项目遵循 AngularJS Git Commit Message Conventions 规范，我们希望你的提交信息尽可能与项目保持一致。

• 新增或修改题解：feat: add/update solution(s) to lc problem(s): No.xxxx
• 修复错误：fix: xxxx
• 日常维护：chore: xxx

3. 其它补充

新增题解及代码时，需要创建 Solution.xxx 源代码文件（如果已存在，请确认算法是否更优，是则覆盖已有算法代码），同时，需要在 README.md 以及 README_EN.md 中添加对应的代码片段（英文文件中不要出现中文注释）
另外，编码风格（比如变量、函数的命名），尽量跟项目已有代码保持一致。

---

🤭 Thank you for your contribution. Please check if your changes comply with the following project specifications.

1. Formatting

We use different formatting tools for various programming languages (including documentation) in our project. You must ensure that the code and documentation are correctly formatted before submitting a pr.

• .{md,js,ts,php,sql,rs} use prettier
• .{c,cpp,java} use clang-format
• .{py} use black
• .{go} use gofmt
• Others to be improved

2. Git Commit Message

Our project follows the AngularJS Git Commit Message Conventions. We hope that your submission information is as consistent as possible with the project.

• Add or modify solutions: feat: add/update solution(s) to lc problem(s): No.xxxx
• Fix errors: fix: xxxx
• Routine maintenance: chore: xxx

3. Other notes

When adding solutions and code, you need to create a Solution.xxx source code file (if it already exists, please confirm whether the algorithm is better, if yes, overwrite the existing algorithm code), and at the same time, you need to add the corresponding code snippets in README.md and README_EN.md (do not have Chinese comments in the English file)
In addition, the coding style (such as the naming of variables and functions) should be as consistent as possible with the existing code in the project.

[barakharyati]

@idoocs @EthanCai @seamile @gsbabil
That's an Urgent Vulnerability Fix