Improper Control of Dynamically-Managed Code Resources
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-913: Improper Control of Dynamically-Managed Code Resources |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
This GitHub Actions workflow uses ‘pull_request_target’ and checks out code from incoming pull requests, which can execute untrusted code with access to repository secrets. This allows code from external contributors to run in a privileged context.
Impact#
An attacker could create a pull request that steals secrets like API keys or deployment credentials, leading to source code leaks, unauthorized access, or further compromise of your repository and infrastructure.