mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zizmor/docs/audit/ref-confusion.md
William Woodruff ecf076bbb3
docs: begin adding per-audit docs (#45)
2024-10-24 00:10:42 -04:00

698 B
Raw Blame History

ref-confusion

Audit ID Type Examples
ref-confusion Workflow ref-confusion.yml

What

Like with impostor commits, actions that are used with a symbolic ref in their uses: are subject to a degree of ambiguity: a ref like @v1 might refer to either a branch or tag ref.

Why

An attacker can exploit this ambiguity to publish a branch or tag ref that takes precedence over a legitimate one, delivering a malicious action to pre-existing consumers of that action without having to modify those consumers.