Pull requests always create artifacts, potentially letting users download malicious code
Many projects have a link to the build artifacts for their latest binaries. This can be misused by an evil user to add malicious code to open source projects.
I've not been able to figure out a way to disable building pull requests. Did I miss an option?
This is what an evil user could do:
- Fork any project that creates artifacts with binaries
- Add malicious code to the fork
- Push code to github
- Add a pull request
- AppVeyor builds the new pull request and adds an artifact with the now malicious binaries
- A user clicks the "Latest build" link from the open source project and is directed to the artifacts page on AppVeyor
- User runs the malicious program and is now infected
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Feodor Fitsner on 31 Jul, 2015 07:32 PM
Do disable pull request builds open AppVeyor's webhook settings on GitHub and disable "pull request" event.
Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 01:58 AM.