tag:help.appveyor.com,2012-11-13:/discussions/problems/2646-pull-requests-always-create-artifacts-potentially-letting-users-download-malicious-codeAppVeyor: Discussion 2018-08-25T01:58:30Ztag:help.appveyor.com,2012-11-13:Comment/375302912015-07-31T04:02:13Z2015-07-31T04:02:14ZPull requests always create artifacts, potentially letting users download malicious code<div><p>Many projects have a link to the build artifacts for their
latest binaries. This can be misused by an evil user to add
malicious code to open source projects.</p>
<p>I've not been able to figure out a way to disable building pull
requests. Did I miss an option?</p>
<p>This is what an evil user could do:</p>
<ul>
<li>
<p>Fork any project that creates artifacts with binaries</p>
</li>
<li>
<p>Add malicious code to the fork</p>
</li>
<li>
<p>Push code to github</p>
</li>
<li>
<p>Add a pull request</p>
</li>
<li>
<p>AppVeyor builds the new pull request and adds an artifact with
the now malicious binaries</p>
</li>
<li>
<p>A user clicks the "Latest build" link from the open source
project and is directed to the artifacts page on AppVeyor</p>
</li>
<li>
<p>User runs the malicious program and is now infected</p>
</li>
</ul></div>X.Ytag:help.appveyor.com,2012-11-13:Comment/375302912015-07-31T19:32:22Z2015-07-31T19:32:22ZPull requests always create artifacts, potentially letting users download malicious code<div><p>Do disable pull request builds open AppVeyor's webhook settings
on GitHub and disable "pull request" event.</p></div>Feodor Fitsner