Wait, how is it possible for anyone who opens a PR to issue dependabot commands ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		udev4096 7 months ago \| parent \| context \| favorite \| on: Weaponizing Dependabot: Pwn Request at its finest Wait, how is it possible for anyone who opens a PR to issue dependabot commands for main repository? There should be some kind of authorization in place to avoid it, right? Should it not ignore any commands coming from outside users who do not have commit access?

bavarianbob 7 months ago | [–]

This is explained here:

> Here's the trick: github.actor does not always refer to the actual creator of the Pull Request. It's the user who caused the latest event that triggered the workflow.

bugtodiffer 7 months ago | [–]

its a fork

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact