В недрах кода GitHub скрыто немало пасхалок. Здесь мы поговорим о некоторых из них. Кстати, вы знали о том, что фразу «Easter egg» («пасхальное яйцо», в просторечии — «пасхалка») придумал в 1979 году Стив Райт — директор по разработке программного обеспечения Atari? Если вы смотрели фильм «Первому игроку приготовиться» — значит вам всё уже должно быть понятно. Вот фрагмент фильма, где игрок находит первую в мире пасхалку, скрытую в классической игре Adventure. Читать дальше →
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise…
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise…
github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners…