check-spelling
ohmyzsh
check-spelling | ohmyzsh | |
---|---|---|
2 | 561 | |
241 | 168,913 | |
2.9% | 0.6% | |
7.8 | 9.5 | |
3 days ago | 5 days ago | |
Shell | Shell | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
check-spelling
-
Add check-spelling to a repository
View on GitHub
-
GitHub Actions checkspelling community workflow GitHub_TOKEN leakage via symlink
> If my repo always runs all tests on a PR, could someone just add a PR with a new test that is then run? Thus running their arbitrary code.
Running arbitrary code is inevitable if an action is configured to run on all PRs. People have abused this to run crypto miners and stuff in the past, but this for the most part is merely an annoyance to maintainers, not a security problem. It does become a security problem when arbitrary code execution is allowed with your secrets, including your configured secrets and the read/write GITHUB_TOKEN.
Expanding on the topic of secrets, if you trigger your test from the usual pull_request event, the workflow won't have access to GITHUB_TOKEN or configured secrets, so it's the safe default you should almost always choose. That becomes a problem when you need write access to the repo, e.g. to assign labels or add comments to the PR from the workflow, in which case you have to use the privileged pull_request_target event to expose GITHUB_TOKEN and secrets. pull_request_target by default runs in the context of the base of the PR, so there's still no arbitrary code, but you can explicitly check out the PR in that context, and when you do, your secrets are potentially exposed to arbitrary code. If you execute that arbitrary code in any job, or like in this case, post the content of effectively any file on disk as directed by an attacker, boom, owned.
Therefore, you should
- Avoid pull_request_target unless white access to the repo and/or access to configured secrets is absolutely necessary;
- When using pull_request_target, avoid checking out untrusted code;
- If it's absolutely necessary to check out untrusted code, make absolutely sure that the untrusted code isn't executed in any way, and that your trusted handling code can't be tricked by untrusted content in any way, like an arbitrary symlink. This is of course difficult to verify.
In this specific case, the fix seems to be checking that the absolute path of the untrusted advice.txt is within GITHUB_WORKSPACE (https://github.com/check-spelling/check-spelling/commit/4363...). IMO that's a wrong fix only covering the symptom. The real cause is using untrusted configuration files at all; why not make a copy of the trusted version of configuration files and use those instead???
GitHub has an article about security considerations here: https://securitylab.github.com/research/github-actions-preve...
ohmyzsh
- Melhorando e configurando seu novo Shell linux. Pt-2
-
Improve your productivity by using more terminal and less mouse (π).
If you are not using oh-my-zsh, you are missing out on some amazing plugins. One feature most people wish the terminal had is autocompletion. With the zsh-autosuggestions plugin, your terminal will autocomplete most commands and remember previous ones.
-
Terminal commands I use as a frontend developer
Thatβs the minimum terminal setup. You can modify the look and add plugins such as autocompletion to your terminal by installing ohmyzsh and using themes such as powerlevel10k. I am already using them.
-
Zshell
Somewhat related is "Oh My ZSH!" which is basically zsh on steroids, it's always one of the first things I install on a new computer. It gives things like new colors, themes, plugins, and more. Highly recommend you check it out.
https://ohmyz.sh/
-
ohmyzsh VS atuin - a user suggested alternative
2 projects | 22 Feb 2024
- Oh My Zsh
-
Weird Color Stuff In The Terminal
I had just gone through a fun tutorial for setting up oh-my-zsh with a nice color scheme from iterm2colorschemes.com and a decent prompt and I was wondering: can I make my oblique strategy look nice? how can you actually use the colors from your scheme in the output in your cli?
-
Make Your Linux Terminal Enjoyable to Use
After this you going to visit Oh-My-Zsh which is where the magic will happen.
-
Using Linux Full-Time 2 years later
after automating my dotfiles, I want to automate my installations, after that I want to make my terminal easier to use so I add OMZ with many plugins, after that, I try to automate the backup of my setting on my Gnome but failed, then try using git-lfs for my big files but it turned out to be idiotic moves, bla bla bla many try and fail.
- Enchula Mi Consola
What are some alternatives?
did_you_mean - The gem that has been saving people from typos since 2014
oh-my-posh - The most customisable and low-latency cross platform/shell prompt renderer
advisories
starship - βποΈ The minimal, blazing-fast, and infinitely customizable prompt for any shell!
PHP-Spellchecker - πππ PHP Library providing an easy way to spellcheck multiple sources of text by many spellcheckers
oh-my-bash - A delightful community-driven framework for managing your bash configuration, and an auto-update tool so that makes it easy to keep up with the latest updates from the community.
Windows Terminal - The new Windows Terminal and the original Windows console host, all in the same place!
powerlevel10k - A Zsh theme
winget-cli - WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
oh-my-fish - The Fish Shell Framework
Knot Resolver - Knot Resolver - resolve DNS names like it's 2024
spaceship-prompt - :rocket::star: Minimalistic, powerful and extremely customizable Zsh prompt