check-spelling VS Windows Terminal

View on GitHub

> If my repo always runs all tests on a PR, could someone just add a PR with a new test that is then run? Thus running their arbitrary code.

Running arbitrary code is inevitable if an action is configured to run on all PRs. People have abused this to run crypto miners and stuff in the past, but this for the most part is merely an annoyance to maintainers, not a security problem. It does become a security problem when arbitrary code execution is allowed with your secrets, including your configured secrets and the read/write GITHUB_TOKEN.

Expanding on the topic of secrets, if you trigger your test from the usual pull_request event, the workflow won't have access to GITHUB_TOKEN or configured secrets, so it's the safe default you should almost always choose. That becomes a problem when you need write access to the repo, e.g. to assign labels or add comments to the PR from the workflow, in which case you have to use the privileged pull_request_target event to expose GITHUB_TOKEN and secrets. pull_request_target by default runs in the context of the base of the PR, so there's still no arbitrary code, but you can explicitly check out the PR in that context, and when you do, your secrets are potentially exposed to arbitrary code. If you execute that arbitrary code in any job, or like in this case, post the content of effectively any file on disk as directed by an attacker, boom, owned.

Therefore, you should

- Avoid pull_request_target unless white access to the repo and/or access to configured secrets is absolutely necessary;

- When using pull_request_target, avoid checking out untrusted code;

- If it's absolutely necessary to check out untrusted code, make absolutely sure that the untrusted code isn't executed in any way, and that your trusted handling code can't be tricked by untrusted content in any way, like an arbitrary symlink. This is of course difficult to verify.

In this specific case, the fix seems to be checking that the absolute path of the untrusted advice.txt is within GITHUB_WORKSPACE (https://github.com/check-spelling/check-spelling/commit/4363...). IMO that's a wrong fix only covering the symptom. The real cause is using untrusted configuration files at all; why not make a copy of the trusted version of configuration files and use those instead???

GitHub has an article about security considerations here: https://securitylab.github.com/research/github-actions-preve...

> convince management of the value

This presupposes that such convincing is even possible. Many, many companies have leadership that are simply terrible at identifying value. If you've never been part of a majority of developers advocating for, if not outright begging for, some huge ROI initiative to get the green light, you are very fortunate.

There are great counterexamples, like Valve, which is known for giving developers an extreme degree of autonomy, and they benefit greatly from that approach. For each Valve, though, there are dozens of companies that manage to succeed despite themselves.

Take Microsoft, for example. One tiny, yet representative, example: the way the Windows Terminal team handled a suggestion from Casey Muratori to take their software from abysmally slow to lightning fast:

https://github.com/microsoft/terminal/issues/10362

A quote from one of the Terminal developers, dismissing the suggestion:

> I believe what you’re doing is describing something that might be considered an entire doctoral research project in performant terminal emulation as “extremely simple” somewhat combatively…

Just how difficult was such an endeavor in actuality? Well, given that Casey implemented his own terminal emulator from scratch and incorporated the functionality he was proposing in a mere weekend... not a whole lot. Relatively minor effort for a huge return on investment. It took Casey explaining the concepts, then providing a working proof of concept, and finally a bunch of backlash online towards the Terminal team to get them to do the right thing for themselves and their users.

At this point ConHost.exe is open source [0] so it is maybe not a stretch to expect Microsoft to open source CMD.EXE at some point.

Though with PowerShell being cross-platform and already open source, I personally don't think there's enough to gain in some sort of better open source CMD.EXE fork. I'd be interested in being proved wrong on that, but I'm also happy enough with PowerShell these days I'm not in a hurry to return to CMD.EXE.

[0] https://github.com/microsoft/terminal/tree/main/src/host

"Users of Linux and macOS may well be familiar with the sudo command, used regularly in the terminal, and it looks like Windows may finally be getting its own version."

More Linux tools are coming to Windows, especially Windows Server because the tools are good and they make it easier to administer a Windows Server.

They are looking at adding a default TUI text editor (https://github.com/microsoft/terminal/discussions/16440) and now they are adding sudo.

I would not be surprised if systemd or something like it gets ported or reinvented for Windows simply because it makes managing services so nice.

GitHub

>We are allowed to view and consume it, to be influenced by it, and under many circumstances even outright copy it.

People keep saying this but it's actually much more complicated, and in many cases you can't view copyrighted content.

An example, MicroSoft employees are not permitted to view or learn from an open source (GPL-2) terminal emulator:

https://github.com/microsoft/terminal/issues/10462#issuecomm...

Another example is proprietary software that may have it's source available, either intentionally or not. If you view this and then work on something related to it, like WINE for example, you are definitely at risk of being successfully sued.

If you worked at MicroSoft and worked on Windows, you would not be able to participate in WINE development at all without violating copyright.

If you viewed leaked Windows source code you also would not be able to participate in WINE development.

An interesting question that I have, is whether training on proprietary, non-trade-secret sources would be allowed. Something like unreal engine, where you can view the source but it's still proprietary.

Windows Terminal is pretty good and a new terminal emulator written in the last few years. No smooth scrolling, here's the GitHub issue requesting it: https://github.com/microsoft/terminal/issues/1400

Assume its related to this:

https://github.com/microsoft/terminal/issues/10362

It's nothing serious just microsoft engineers writing slow as shit code and reacting poorly to someone trying to help.

"There are plenty of offline scenarios where this would be incredibly useful. For disconnected environments, etc. There are some environments that will never connect to winget."

Source: https://github.com/microsoft/terminal/discussions/16440#disc...