tag:help.appveyor.com,2012-11-13:/discussions/problems/17488-exploitable-scenario-in-appveyerAppVeyor: Discussion 2018-10-19T08:19:00Ztag:help.appveyor.com,2012-11-13:Comment/462721932018-10-16T14:06:40Z2018-10-16T14:06:40ZExploitable scenario in Appveyer?<div><p>Hello,</p>
<p>For secrets, please use <a href="https://www.appveyor.com/docs/build-configuration/#secure-variables">secure variables</a>.</p>
<p>Publishing is not enabled for Pull requests for apparent security reasons you just mentioned. So you should be safe.</p>
<p>Please let us know if this makes sense.</p></div>Ilya Finkelshteyntag:help.appveyor.com,2012-11-13:Comment/462721932018-10-16T14:14:53Z2018-10-16T14:14:53ZExploitable scenario in Appveyer?<div><p>Hi Ilya, thanks for the reply.</p>
<p>We are using secure variables already. Here is our current appveyer.yml file:<br>
<a href="https://github.com/Kukks/NBitcoin/blob/master/appveyor.yml">https://github.com/Kukks/NBitcoin/blob/master/appveyor.yml</a></p>
<p>Wouldn't anyone be able to:<br>
* Fork * Modify appveyer.yml and make use of the github token and push bad code to repository * Open Pull request * Appveyer runs on pull request and it runs the malicious yml file?</p>
<p>We basically do this in the <code>on_success</code> step:<br></p>
<pre>
<code>on_success:
- ps: |
if (-not (Test-Path env:APPVEYOR_PULL_REQUEST_NUMBER)) {
Write-Host "Generating Docs "
cinst docfx
git config --global credential.helper store
Add-Content "$env:USERPROFILE.git-credentials" "https://$($env:github_access_token):x-oauth-basic@github.com`n"
git config --global user.email %github_email%
git config --global user.name %github_user%
sh ./docs/release.sh
} else {
Write-Host "Identified build as PR [$env:APPVEYOR_PULL_REQUEST_NUMBER], skipping docs gen "
}</code>
</pre></div>evilkukkatag:help.appveyor.com,2012-11-13:Comment/462721932018-10-16T16:22:09Z2018-10-16T16:22:09ZExploitable scenario in Appveyer?<div><p>Secure variables are not available in Pull Requests for the same security reasons. You can enable them (in UI only) for PRs from the same repository, but we do not even expose the possibility to enable them for PRs from the fork.</p></div>Ilya Finkelshteyntag:help.appveyor.com,2012-11-13:Comment/462721932018-10-16T16:46:48Z2018-10-16T16:46:48ZExploitable scenario in Appveyer?<div><p>That's great to hear, just saw it in the documentation.</p>
<p>Thanks!</p></div>evilkukka