Nikita Stupin
Nikita Stupin
I didn't know it works this way. I'd think once tree-sitter is aware of an injected grammar it'd parse it too. Looks like it's not the case. If I find...
Изменения в #15 должны решить проблему. Возможно, потребуется некоторое время, чтобы файл .ics обновился. Если проблема повторится, можете заново открыть эту задачу или открыть новую! Спасибо!
Hey @fproulx-boostsecurity! The script basically creates a test repo and shows that values of the `${{ github.event }}` object are "frozen" at the moment of running the workflow (or rather...
Yes, that's how it works in general. So far I have only one example and it's not fixed yet so unfortunately I can't disclose for now :)
Thanks for https://boostsecurityio.github.io/lotp/ by the way! I ought to add it to the README
> So in summary to find issues of this class one should look for the following? > > `pull_request_target` on the `labeled` trigger only + `actions/checkout` with `ref: ${{ github.event.pull_request.head.ref...
It's basically a TOCTOU vulnerability
Done https://github.com/nikitastupin/pwnhub/commit/aa736f201a4f5350df7ddfbafda4300a9f40bd31
https://api.thegraph.com/subgraphs/name/hats-finance/hats - for hats.finance
I think we can generate requests based solely on method + path combination. Tags can be added to request object later for later filtration.