lxml

Hash-pin workflow GitHub Actions

Bug #2043502 reported by Pedro Kaj Kjellerup Nacht on 2023-11-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	lxml	Fix Released	Medium	scoder	lxml 5.0

Bug Description

Hey, it's Pedro (see [1] and [2]) and I'm back with another security suggestion.

When developing with CI workflows, it's common to version-pin dependencies (i.e. `actions/checkout@v4`). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

These hashes will be automatically updated by dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment. In fact, I can modify the dependabot config to receive a single PR with all new Actions instead of one PR per Action (see [3] for an example PR).

I'll send a PR pinning the Actions along with this issue.

[1]: https://github.com/lxml/lxml/pull/369
[2]: https://github.com/lxml/lxml/pull/372
[3]: https://github.com/pnacht/libarchive/pull/9

Revision history for this message

scoder (scoder) wrote on 2023-11-14:

Changed in https://github.com/lxml/lxml/pull/386

Changed in lxml:
assignee:	nobody → scoder (scoder)
importance:	Undecided → Medium
milestone:	none → 5.0
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.