Skip to content

Fix vulnerability in cross-repo-issue GitHub action #4324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Net-burst merged 1 commit into from
Dec 22, 2025
Merged

Fix vulnerability in cross-repo-issue GitHub action #4324

Net-burst merged 1 commit into from
Dec 22, 2025
+2 −1

Conversation

@zxPhoenix
Copy link
Contributor

@zxPhoenix zxPhoenix commented Dec 16, 2025

🔧 Type of changes

  • new bid adapter
  • bid adapter update
  • new feature
  • new analytics adapter
  • new module
  • module update
  • bugfix
  • documentation
  • configuration
  • dependency update
  • tech debt (test coverage, refactorings, etc.)

✨ What's the context?

Fix for Code injection issue in cross-repo-issue GitHub action (#4323)

🧠 Rationale behind the change

Our code quality checks have identified a critical code injection vulnerability in the cross-repo-issue GitHub Action. We understand that the probability of this case is extremely low due to code reviews , etc... However, we would like to address it to pass all quality checks.

🔎 New Bid Adapter Checklist

  • verify email contact works
  • NO fully dynamic hostnames
  • geographic host parameters are NOT required
  • direct use of HTTP is prohibited - implement an existing Bidder interface that will do all the job
  • if the ORTB is just forwarded to the endpoint, use the generic adapter - define the new adapter as the alias of the generic adapter
  • cover an adapter configuration with an integration test

🧪 Test plan

How do you know the changes are safe to ship to production?

🏎 Quality check

  • Are your changes following our code style guidelines?
  • Are there any breaking changes in your code?
  • Does your test coverage exceed 90%?
  • Are there any erroneous console logs, debuggers or leftover code in your changes?

@Net-burst Net-burst requested a review from And1sS December 17, 2025 14:40
Net-burst
Net-burst approved these changes Dec 22, 2025
View reviewed changes
Copy link
Collaborator

@Net-burst Net-burst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Net-burst Net-burst merged commit 033af31 into prebid:master Dec 22, 2025
5 checks passed
@cross-repo-issue-creation cross-repo-issue-creation bot mentioned this pull request Dec 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Net-burst Net-burst Net-burst approved these changes

@And1sS And1sS And1sS approved these changes

@CTMBNara CTMBNara CTMBNara approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zxPhoenix @Net-burst @And1sS @CTMBNara