top | item 45676293

(no title)

This may not be a huge issue depending on mitigating controls but are they saying that anyone can submit a PR (containing anything) to Immich, tag the pr with `preview` and have the contents of that PR hosted on https://pr-<num>.preview.internal.immich.cloud?

Doesn't that effectively let anyone host anything there?

discuss

daemonologist|4 months ago

I think only collaborators can add labels on github, so not quite. Does seem a bit hazardous though (you could submit a legit PR, get the label, and then commit whatever you want?).

ajross|4 months ago

Exposure also extends not just to the owner of the PR but anyone with write access to the branch from which it was submitted. GitHub pushes are ssh-authenticated and often automated in many workflows.

rixed|4 months ago

So basically like https://docs.google.com/ ?

jeroenhd|4 months ago

Yes, except on Google Docs you can't make the document steal credentials or download malware by simply clicking on the link.

It's more like sites.google.com.

bo0tzz|4 months ago

No, it doesn't work at all for PRs from forks.

tgsovlerkhgsel|4 months ago

That was my first thought - have the preview URLs possibly actually been abused through GitHub?

warkdarrior|4 months ago

Excellent idea for cost-free phishing.