peter-evans/create-pull-request
1
0
Fork 0
mirror of https://github.com/peter-evans/create-pull-request.git synced 2026-05-14 10:32:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d9ef76f1acf12c702bd1cf5c9e2c307781088c48
create-pull-request/dist
T
History
Peter Evans d9ef76f1ac fix(security): prevent path traversal in credentials file deletion 
Use path.resolve() to normalize paths before comparison in
removeIncludeIfCredentials(). The previous startsWith() check was
vulnerable to path traversal attacks where a path like
"/tmp/runner/../../../etc/passwd" would pass the check but resolve
outside RUNNER_TEMP.

Also append path.sep to prevent false positives (e.g., /tmp/runner2
matching /tmp/runner).
2026-01-23 10:06:08 +00:00
..
790.index.js
build: update distribution (#4095)
2025-08-05 18:15:22 +01:00
index.js
fix(security): prevent path traversal in credentials file deletion
2026-01-23 10:06:08 +00:00