The current behavior of actions/cache is to always do both a restore and a save step. Even though its documented to never run save from an untrusted source.
Cache poisoning attacks were used against an nom package yesterday, the attack used a pull_request_target workflow to accomplish it.
In order to be secure by default, I propose to update actions/cache to take its own recommended practices in account and to make the save step conditional on the trigger not being prt.
I understand there are probably still other ways to accomplish cache poinsening, but this would go a long way in reducing yet another angle of the pull_request_target triggers dangers.
Alternatively, cache/save or cache could use pick another branch to cache against, not the target branch, main in this case, but the source branch, pulls/123.
The current behavior of actions/cache is to always do both a restore and a save step. Even though its documented to never run save from an untrusted source.
Cache poisoning attacks were used against an nom package yesterday, the attack used a pull_request_target workflow to accomplish it.
In order to be secure by default, I propose to update actions/cache to take its own recommended practices in account and to make the save step conditional on the trigger not being prt.
I understand there are probably still other ways to accomplish cache poinsening, but this would go a long way in reducing yet another angle of the pull_request_target triggers dangers.
Alternatively, cache/save or cache could use pick another branch to cache against, not the target branch, main in this case, but the source branch, pulls/123.