python · bbotHeads-up
bbot github_workflows module symlink path traversal
The `github_workflows` module constructs local directory paths from user-controlled repository names without validating for symlinks, allowing a local attacker
What changed
The `github_workflows` module constructs local directory paths from user-controlled repository names without validating for symlinks, allowing a local attacker to redirect workflow data writes via a symlink.
Who it affects
Users running bbot scans where a local attacker can plant symlinks in the scan directory.
What to do today
Update bbot to a patched version once available, or manually validate that output paths are not symlinks before scanning.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · bbot