Jaroslav Lobačevski

icon indicating a website link jarlob.github.io icon indicating an email [email protected]

icon location Security Researcher @ghsecuritylab

Results 89 comments of Jaroslav Lobačevski

JS: decoding JWT without signature verification

@am0o0 Could you please change the pull request from draft to ready for review, so someone from JavaScript CodeQL team can take a look?

How can I report a potential security vulnerability?

@dirkf Could you please confirm that the email to report potential security issues is fieldhousegmx.net?

Add install step

Is it ready for review? I think it is useful addition.

Adding permissions monitor substantially increases time `actions/checkout@v4` takes to run

Thank you for you report, I wasn't aware of that. I know that installing the monitor takes time and this is a potential overhead for every run. But a significant...

Adding permissions monitor substantially increases time `actions/checkout@v4` takes to run

I just released https://github.com/GitHubSecurityLab/actions-permissions/releases/tag/v1.0.2-beta6 with a new mitmproxy version. Could you please try it?

local/install_deps.bash fails with AttributeError: module 'collections' has no attribute 'MutableMapping'

As a workaround it is possible to run `pip3 list -o | cut -f1 -d' ' | tr " " "\n" | awk '{if(NR>=3)print}' | cut -d' ' -f1 |...

Monitor GitHub Actions permissions

Hi, I have released a new version of `GitHubSecurityLab/actions-permissions` that fixes the `unknown permission` and also fixes running on MacOS 15. You should bump to `37c927c24552caa0ef6040ab0876db729cc12754`. However I looked at...

Monitor GitHub Actions permissions

Though it looks like `This feature is included in the StepSecurity enterprise tier`.

Monitor GitHub Actions permissions

Artifacts are strange beasts. Uploading artifacts doesn't use github token, so no permission is required. Downloading artifacts for public repositories doesn't require permissions. For private - `actions: read` is needed....