Pull requests always create artifacts, potentially letting users download malicious code

X.Y's Avatar

X.Y

31 Jul, 2015 04:02 AM

Many projects have a link to the build artifacts for their latest binaries. This can be misused by an evil user to add malicious code to open source projects.

I've not been able to figure out a way to disable building pull requests. Did I miss an option?

This is what an evil user could do:

- Fork any project that creates artifacts with binaries

- Add malicious code to the fork

- Push code to github

- Add a pull request

- AppVeyor builds the new pull request and adds an artifact with the now malicious binaries

- A user clicks the "Latest build" link from the open source project and is directed to the artifacts page on AppVeyor

- User runs the malicious program and is now infected

  1. Support Staff 1 Posted by Feodor Fitsner on 31 Jul, 2015 07:32 PM

    Feodor Fitsner's Avatar

    Do disable pull request builds open AppVeyor's webhook settings on GitHub and disable "pull request" event.

  2. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 01:58 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac