check-spelling
Chocolatey
check-spelling | Chocolatey | |
---|---|---|
2 | 394 | |
241 | 9,894 | |
2.9% | 1.1% | |
7.8 | 8.9 | |
3 days ago | 5 days ago | |
Shell | C# | |
MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
check-spelling
-
Add check-spelling to a repository
View on GitHub
-
GitHub Actions checkspelling community workflow GitHub_TOKEN leakage via symlink
> If my repo always runs all tests on a PR, could someone just add a PR with a new test that is then run? Thus running their arbitrary code.
Running arbitrary code is inevitable if an action is configured to run on all PRs. People have abused this to run crypto miners and stuff in the past, but this for the most part is merely an annoyance to maintainers, not a security problem. It does become a security problem when arbitrary code execution is allowed with your secrets, including your configured secrets and the read/write GITHUB_TOKEN.
Expanding on the topic of secrets, if you trigger your test from the usual pull_request event, the workflow won't have access to GITHUB_TOKEN or configured secrets, so it's the safe default you should almost always choose. That becomes a problem when you need write access to the repo, e.g. to assign labels or add comments to the PR from the workflow, in which case you have to use the privileged pull_request_target event to expose GITHUB_TOKEN and secrets. pull_request_target by default runs in the context of the base of the PR, so there's still no arbitrary code, but you can explicitly check out the PR in that context, and when you do, your secrets are potentially exposed to arbitrary code. If you execute that arbitrary code in any job, or like in this case, post the content of effectively any file on disk as directed by an attacker, boom, owned.
Therefore, you should
- Avoid pull_request_target unless white access to the repo and/or access to configured secrets is absolutely necessary;
- When using pull_request_target, avoid checking out untrusted code;
- If it's absolutely necessary to check out untrusted code, make absolutely sure that the untrusted code isn't executed in any way, and that your trusted handling code can't be tricked by untrusted content in any way, like an arbitrary symlink. This is of course difficult to verify.
In this specific case, the fix seems to be checking that the absolute path of the untrusted advice.txt is within GITHUB_WORKSPACE (https://github.com/check-spelling/check-spelling/commit/4363...). IMO that's a wrong fix only covering the symptom. The real cause is using untrusted configuration files at all; why not make a copy of the trusted version of configuration files and use those instead???
GitHub has an article about security considerations here: https://securitylab.github.com/research/github-actions-preve...
Chocolatey
-
Let’s build AI-tools with the help of AI and Typescript!
Chocolatey Windows software management solution, we use this for installing Python and Deno
-
Giving Kyma a little spin ... a SpinKube
Authenticating with Kyma is a (in my opinion) unnecessary challenge as it leverages the OIDC-login plugin for kubectl. You find a description of the setup here. This works fine when on a Mac but can give you some headaches on a Windows and on Linux machine especially when combined with restrictive setups in corporate environments. For Windows I can only recommend installing krew via chocolatey and then install the OIDC plugin via kubectl krew install oidc-login. At least for me that was the only way to get this working on Windows.
-
Effective Neovim Setup. A Beginner’s Guide
On a Windows machine, you can use Chocolatey by running the command.
- PC MHz fluctuating
-
Need Help with getting Haskell onto my Windows Laptop
I've used WSL2 and GHC/Nix--worked without any issues. However, there is Chocolatey: https://chocolatey.org/
-
Python Versions and Release Cycles
For OSX there is homebrew or pyenv (pyenv is another solution on Linux). As pyenv compiles from source it will require setting up XCode (the Apple IDE) tools to support this which can be pretty bulky. Windows users have chocolatey but the issue there is it works off the binaries. That means it won't have the latest security release available since those are source only. Conda is also another solution which can be picked up by Visual Studio Code as available versions of Python making development easier. In the end it might be best to consider using WSL on Windows for installing a Linux version and using that instead.
-
Helm Charts: An Organised Way to Install Apps on a Kubernetes Cluster
Type the following commands on the Windows terminal to install helm. You can use either Scoop a command-line installer for Windows or Chocolatey which is a Package Manager for Windows to install helm.
-
Was für Tools nutzt ihr zum Einrichten und Daten übertragen auf einen neuen PC?
Für Software ninite.com und chocolatey.org
- Criando ambiente de desenvolvimento Java no Windows - sem wsl
-
OpenAI Whisper: Transcribe in the Terminal for free
While you can install it in many ways, the easiest is using a package manager like Homebrew for macOS or chocolatey for Windows.
What are some alternatives?
did_you_mean - The gem that has been saving people from typos since 2014
winget-cli - WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
advisories
Scoop - A command-line installer for Windows.
PHP-Spellchecker - 🐘🎓📝 PHP Library providing an easy way to spellcheck multiple sources of text by many spellcheckers
Squirrel - An installation and update framework for Windows desktop apps
ohmyzsh - 🙃 A delightful community-driven (with 2,300+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker, homebrew, node, php, python, etc), 140+ themes to spice up your morning, and an auto-update tool so that makes it easy to keep up with the latest updates from the community.
Wix Toolset
Windows Terminal - The new Windows Terminal and the original Windows console host, all in the same place!
HomeBrew - 🍺 The missing package manager for macOS (or Linux)
video2x - A lossless video/GIF/image upscaler achieved with waifu2x, Anime4K, SRMD and RealSR. Started in Hack the Valley II, 2018.