check-spelling
PowerToys
check-spelling | PowerToys | |
---|---|---|
2 | 713 | |
241 | 104,500 | |
2.9% | 1.1% | |
7.8 | 9.8 | |
3 days ago | 5 days ago | |
Shell | C# | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
check-spelling
-
Add check-spelling to a repository
View on GitHub
-
GitHub Actions checkspelling community workflow GitHub_TOKEN leakage via symlink
> If my repo always runs all tests on a PR, could someone just add a PR with a new test that is then run? Thus running their arbitrary code.
Running arbitrary code is inevitable if an action is configured to run on all PRs. People have abused this to run crypto miners and stuff in the past, but this for the most part is merely an annoyance to maintainers, not a security problem. It does become a security problem when arbitrary code execution is allowed with your secrets, including your configured secrets and the read/write GITHUB_TOKEN.
Expanding on the topic of secrets, if you trigger your test from the usual pull_request event, the workflow won't have access to GITHUB_TOKEN or configured secrets, so it's the safe default you should almost always choose. That becomes a problem when you need write access to the repo, e.g. to assign labels or add comments to the PR from the workflow, in which case you have to use the privileged pull_request_target event to expose GITHUB_TOKEN and secrets. pull_request_target by default runs in the context of the base of the PR, so there's still no arbitrary code, but you can explicitly check out the PR in that context, and when you do, your secrets are potentially exposed to arbitrary code. If you execute that arbitrary code in any job, or like in this case, post the content of effectively any file on disk as directed by an attacker, boom, owned.
Therefore, you should
- Avoid pull_request_target unless white access to the repo and/or access to configured secrets is absolutely necessary;
- When using pull_request_target, avoid checking out untrusted code;
- If it's absolutely necessary to check out untrusted code, make absolutely sure that the untrusted code isn't executed in any way, and that your trusted handling code can't be tricked by untrusted content in any way, like an arbitrary symlink. This is of course difficult to verify.
In this specific case, the fix seems to be checking that the absolute path of the untrusted advice.txt is within GITHUB_WORKSPACE (https://github.com/check-spelling/check-spelling/commit/4363...). IMO that's a wrong fix only covering the symptom. The real cause is using untrusted configuration files at all; why not make a copy of the trusted version of configuration files and use those instead???
GitHub has an article about security considerations here: https://securitylab.github.com/research/github-actions-preve...
PowerToys
-
Unlock Web Dev Superpowers with PowerToys
Windows PowerToys GitHub Repo
-
We released a new powerful efficiency tool called RunFlow, which is similar to PowerToys and Alfred, welcome to try it
RunFlow is a cross-platform productivity tool which can launch apps and search files and more, that similar to Wox and PowerToys on Windows, and also similar like Alfred and Raycast on macOS. But we have differences with these tools, and we have our own unique new features. Right now, at the below, we will introduce you what features of RunFlow have been implemented in more details. It's an amazing journey, let's start.
-
GTK: On fractional scales, fonts and hinting
I'm curious - when you were doing research into the mechanics of hinting options, did you stumble onto any relevant discussion around allowing custom pixel geometries to be defined, to enable hinting on modern OLED / WRBG displays? There's a good thread on the topic here[0], with some people referring to it as 'ClearType 2' on the MS side [1]. On the oss side I know FreeType theoretically supports this[2], but I can't quite figure out how relevant the FreeType backend is to this most recent work.
This is great work btw.
[0]: https://github.com/snowie2000/mactype/issues/932
[1]: https://github.com/microsoft/PowerToys/issues/25595
[2]: https://freetype.org/freetype2/docs/reference/ft2-lcd_render...
-
Ask HN: Cleanest way to manage Windows OS?
Thank you all for the informative advices. Here is the summary for those who are in the same situation:
1. Run Windows on Linux by using VM
for the applications you can’t run on Linux
Risks:
* some softwares may attempt to detect VMs and refuse running
* Anything what needs to touch hardware may not work.
2. separate "data" partition on D:
3. back up %APPDATA% and %USERPROFILE%
4. learn chocolatey, scoop or winget
Winget should be good enough
5. Don’t worry about C:\Program Files
6. (Mixed) Use/Don’t use Ansible (or saltstack/salt)
Use:
* Allows you to setup a new machine quickly and consistently when one breaks, get stolen, or lost in an inconvenient time.
* You can get a clean and consistent development environment so that you do not depend on anything accidentally installed on the machine.
* If you define specialised roles, create test playbooks for those individual roles, use these roles to compose more complex playbooks, and offload logic to custom ansible modules that are written in python, you won't wrestle with heavy logic in the template or playbook layer.
* installing software and pulling some configs and scripts down is fine
Don’t use:
* You will spend your days fighting a mix of yaml and Jinja.
* You will end up looking at Python errors because there are no static types.
* errors are cryptic.
7. Use WSL2
You need 32gb of ram, but ram is cheap so choose a good thinkpad
8. Debloat with Recommended Tweaks
Run
irm christitus.com/win | iex
from Administrator Terminal (Powershell)
The link leads to https://raw.githubusercontent.com/ChrisTitusTech/winutil/mai...
VirusTotal
https://www.virustotal.com/gui/file/709834b0e003b6bb546cf16e...
9. Get [PowerToys](https://github.com/microsoft/PowerToys)
10. Use Devbox for containered environment
https://www.jetpack.io/devbox
11. Dual-Booting Linux and Windows
If you use physically separated drives, you don’t need partitioning.
12. Dedicated Windows machine for class
Yes it sure would be the cleanest solution but I prefer one device for everything
13. keep a git repository with all dot files in it
Many people suggested me to use virtualization, otherwise just let Windows be Windows.
Also, backing up seems to be a good practice.
I’m planning to write a blog about this, if it worked.
Again, thank you all for the helps!
- Ask HN: Best Hacks for a Ultrawide Monitor?
-
Keypirinha: A fast launcher for keyboard ninjas on Windows
Powertoys Run (https://github.com/microsoft/powertoys) can do this. There are not that many plugins as Alfred but Window Switcher is built-in.
-
LAN Mouse is a mouse and keyboard sharing software
For sharing a mouse/keyboard between Windows PCs, there is Mouse Without Borders. It's included in PowerToys nowadays.
https://github.com/microsoft/PowerToys
-
Hrvach/Deskhop: Fast Desktop Switching Device
- https://github.com/microsoft/PowerToys
-
How do I type letters with accent marks?
If you’re on Windows, download PowerToys. It’s an app published by Microsoft officially. Then enable Quick Accent in the settings of PowerToys. Now all you have to do is hold down the key you want accented until the switch shows up, then add an accent with your arrow keys.
-
Microsoft's Powertoys Key Manager now can paste text and unicode by shortcuts
microsoft/PowerToys: Windows system utilities to maximize productivity (github.com)
What are some alternatives?
did_you_mean - The gem that has been saving people from typos since 2014
Wox - A cross-platform launcher that simply works
advisories
AutoHotkey - AutoHotkey - macro-creation and automation-oriented scripting utility for Windows.
PHP-Spellchecker - 🐘🎓📝 PHP Library providing an easy way to spellcheck multiple sources of text by many spellcheckers
sharpkeys - SharpKeys is a utility that manages a Registry key that allows Windows to remap one key to any other key.
ohmyzsh - 🙃 A delightful community-driven (with 2,300+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker, homebrew, node, php, python, etc), 140+ themes to spice up your morning, and an auto-update tool so that makes it easy to keep up with the latest updates from the community.
Flow.Launcher - :mag: Quick file search & app launcher for Windows with community-made plugins
Windows Terminal - The new Windows Terminal and the original Windows console host, all in the same place!
Fluent-Search - Official repository for Fluent Search, use to report issues or ask for a new feature
winget-cli - WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
T-Clock - Highly configurable Windows taskbar clock