From 4bd711e1c424b0aafd63f70820fb1aeee518df41 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Thu, 28 May 2026 12:39:12 +0200 Subject: [PATCH] fix(security): avoid fetching untrusted proof refs --- .github/workflows/mantis-telegram-desktop-proof.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/mantis-telegram-desktop-proof.yml b/.github/workflows/mantis-telegram-desktop-proof.yml index d1dcae85451..a0f7ab6f4ba 100644 --- a/.github/workflows/mantis-telegram-desktop-proof.yml +++ b/.github/workflows/mantis-telegram-desktop-proof.yml @@ -241,9 +241,6 @@ jobs: set -euo pipefail git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main - if [[ -n "${PR_NUMBER:-}" ]]; then - git fetch --no-tags origin "+refs/pull/${PR_NUMBER}/head:refs/remotes/origin/pr/${PR_NUMBER}" || true - fi resolve_commit() { local input_ref="$2" @@ -257,7 +254,6 @@ jobs: } baseline_revision="$(resolve_commit baseline "$BASELINE_REF")" - candidate_revision="$(resolve_commit candidate "$CANDIDATE_REF")" if ! git merge-base --is-ancestor "$baseline_revision" refs/remotes/origin/main; then echo "baseline ref '${BASELINE_REF}' resolved to ${baseline_revision}, which is not on main." >&2 exit 1 @@ -271,6 +267,11 @@ jobs: pr_state="$(jq -r '.state' <<<"$pr_head")" pr_head_sha="$(jq -r '.head_sha' <<<"$pr_head")" pr_head_repo="$(jq -r '.head_repo' <<<"$pr_head")" + candidate_revision="$CANDIDATE_REF" + if [[ ! "$candidate_revision" =~ ^[0-9a-f]{40}$ ]]; then + echo "candidate ref '${CANDIDATE_REF}' is not an immutable commit SHA." >&2 + exit 1 + fi if [[ "$pr_state" != "open" || "$candidate_revision" != "$pr_head_sha" ]]; then echo "candidate ref '${CANDIDATE_REF}' resolved to ${candidate_revision}, which is not the open PR head." >&2 exit 1