Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Make lighthouse report actually work #10863

Closed
wants to merge 2 commits into from
Closed

fix: Make lighthouse report actually work #10863

wants to merge 2 commits into from

Conversation

AaronDewes
Copy link

Previously, this workflow just checked out the main branch, which caused the report to be pretty useless.

Pre-flight checklist

  • I have read the Contributing Guidelines on pull requests.
  • If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
  • If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Test Plan

Test links

Deploy preview: https://deploy-preview-_____--docusaurus-2.netlify.app/

Related issues/PRs

@AaronDewes
fix: Make lighthouse report actually work
630ef83 
Previously, this workflow just checked out the main branch, which caused the report to be pretty useless.
@facebook-github-bot
Copy link
Contributor

Hi @AaronDewes!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

@AaronDewes AaronDewes marked this pull request as draft January 24, 2025 12:36
@facebook-github-bot
Copy link
Contributor

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@facebook-github-bot facebook-github-bot added the CLA Signed Signed Facebook CLA label Jan 24, 2025
@netlify Netlify
Copy link

netlify bot commented Jan 24, 2025
edited
Loading

[V2]

Built without sensitive environment variables

Name Link
🔨 Latest commit 1a6bca2
🔍 Latest deploy log https://app.netlify.com/sites/docusaurus-2/deploys/67952fb4de2fbe0008a3d9e9
😎 Deploy Preview https://deploy-preview-10863--docusaurus-2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 24, 2025
edited
Loading

⚡️ Lighthouse report for the deploy preview of this PR

URL Performance Accessibility Best Practices SEO Report
/ 🔴 38 🟢 98 🟢 96 🟢 100 Report
/docs/installation 🟠 50 🟢 97 🟢 100 🟢 100 Report
/docs/category/getting-started 🟠 73 🟢 100 🟢 100 🟠 86 Report
/blog 🟠 63 🟢 96 🟢 100 🟠 86 Report
/blog/preparing-your-site-for-docusaurus-v3 🟠 64 🟢 92 🟢 100 🟢 100 Report
/blog/tags/release 🟠 63 🟢 96 🟢 100 🟠 86 Report
/blog/tags 🟠 73 🟢 100 🟢 100 🟠 86 Report

slorber
slorber reviewed Feb 21, 2025
View reviewed changes
Copy link
Collaborator

@slorber slorber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree we have a problem, but what you proposes present a vulnerability risk.

TL;DR: Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Given your security / hacker background found publicly, I wonder if you did it purposefully or if it's an honest mistake.

@slorber slorber closed this Feb 21, 2025
@AaronDewes
Copy link
Author

Hi @slorber.

First, I actually found this issue when researching such insecure actions. I've reported a similar security issue in the facebook/lexical repository through your bug bounty program, as well as similar issues in other org's repositories.

This PR is by no means a social engineering attempt or similar to introduce a vulnerability. As I am familiar with this issue, I was rather checking if this can be exploited.

If you check the file again, it starts with

permissions:
  contents: read

This means the token exposed to this repository has only read access to the repo contents, and can not do anything. There are numerous examples on GitHub of repositories which use similar methods, I can search one and link it here later.

@AaronDewes
Copy link
Author

An example from Microsoft would be: https://github.com/Azure/azure-cli-extensions/blob/main/.github/workflows/ProcessCodeReview.yml

This checks out "untrusted" code, but the permission settings in the YML make it safe.

Please re-open this PR if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slorber slorber slorber left review comments

@Josh-Cena Josh-Cena Awaiting requested review from Josh-Cena Josh-Cena is a code owner

Assignees
No one assigned
Labels
CLA Signed Signed Facebook CLA
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AaronDewes @facebook-github-bot @slorber