create-pull-request

mirror of https://github.com/peter-evans/create-pull-request.git synced 2026-06-06 03:17:05 +00:00

History

Peter Evans d9ef76f1ac fix(security): prevent path traversal in credentials file deletion Use path.resolve() to normalize paths before comparison in removeIncludeIfCredentials(). The previous startsWith() check was vulnerable to path traversal attacks where a path like "/tmp/runner/../../../etc/passwd" would pass the check but resolve outside RUNNER_TEMP. Also append path.sep to prevent false positives (e.g., /tmp/runner2 matching /tmp/runner).	2026-01-23 10:06:08 +00:00
..
790.index.js	build: update distribution (#4095 )	2025-08-05 18:15:22 +01:00
index.js	fix(security): prevent path traversal in credentials file deletion	2026-01-23 10:06:08 +00:00

Peter Evans d9ef76f1ac fix(security): prevent path traversal in credentials file deletion

Use path.resolve() to normalize paths before comparison in
removeIncludeIfCredentials(). The previous startsWith() check was
vulnerable to path traversal attacks where a path like
"/tmp/runner/../../../etc/passwd" would pass the check but resolve
outside RUNNER_TEMP.

Also append path.sep to prevent false positives (e.g., /tmp/runner2
matching /tmp/runner).

2026-01-23 10:06:08 +00:00

790.index.js

build: update distribution (#4095 )

2025-08-05 18:15:22 +01:00

index.js

fix(security): prevent path traversal in credentials file deletion

2026-01-23 10:06:08 +00:00