Guard against malicious ecosystem comment artifacts (#11879)

astral-sh · Jun 14, 2024 · 2d6d85e · 2d6d85e
1 parent 4f49e91
commit 2d6d85e
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml
@@ -48,6 +48,14 @@ jobs:
         id: generate-comment
         if: steps.download-ecosystem-result.outputs.found_artifact == 'true'
         run: |
+          // Guard against malicious ecosystem results that symlink to a secret
+          // file on this runner
+          if [[ -L pr/ecosystem/ecosystem-result ]]
+          then
+              echo "Error: ecosystem-result cannot be a symlink"
+              exit 1
+          fi
+
           # Note this identifier is used to find the comment to update on
           # subsequent runs
           echo '<!-- generated-comment ecosystem -->' >> comment.txt