cabbagepatchman commented on PR #36339: URL: https://github.com/apache/airflow/pull/36339#issuecomment-1868072114
Hey Jarek, I appreciate the caution. I am a security researcher, and was testing the fork PR approval requirements, which it seems your team has thought about extensively. I apologize for not leaving a comment to attribute the PR to ongoing research. If it means anything, I have been researching CICD vulnerabilities for a while now and this is the first time a similar PR was picked up by the security team. I'll make sure to clarify my actions in the future. If you are able to share the defensive mechanism that prevented the WF, I'm very curious. My best guess is that the team forked the runner agent and modified the C# code to prohibit runs from fork PRs. Either way, props to you and your team. On Thu, Dec 21, 2023 at 8:39 AM Jarek Potiuk ***@***.***> wrote: > Please avoid doing those kind of PRs to airflow. I was close to requesting > you to be blocked by GitHub as an attempt to modify Airflow workflow and > hacking it -your first PR was trying to do that) . We are careful about > those kind of PRs and it brings attention of our security team - so if you > are not a security reasercher, don't do that, as you are at risk of GitHub > blocking you on our request. > > And you are needlessly dragging attention of the security team by doing it. > > You can make a fork of Airflow and make pull requests to your own fork if > you want to test something like that. > > Just a friendly warning. > > — > Reply to this email directly, view it on GitHub > <https://github.com/apache/airflow/pull/36339#issuecomment-1866262336>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BCRI2NXLP7AJX7GYGQMXGM3YKQ3ZVAVCNFSM6AAAAABA5XD6PGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRWGI3DEMZTGY> > . > You are receiving this because you modified the open/close state.Message > ID: ***@***.***> > -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
