From 243f3288ad5db65ef98b0d402aab8172997e3757 Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Fri, 14 Jun 2024 11:58:12 -0500
Subject: [PATCH] Guard against malicious ecosystem comment artifacts

---
 .github/workflows/pr-comment.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml
index 1debd520ece39..8a63fa0e033c5 100644
--- a/.github/workflows/pr-comment.yaml
+++ b/.github/workflows/pr-comment.yaml
@@ -48,6 +48,14 @@ jobs:
         id: generate-comment
         if: steps.download-ecosystem-result.outputs.found_artifact == 'true'
         run: |
+          // Guard against malicious ecosystem results that symlink to a secret
+          // file on this runner
+          if [[ -L pr/ecosystem/ecosystem-result ]]
+          then
+              echo "Error: ecosystem-result cannot be a symlink"
+              exit 1
+          fi
+
           # Note this identifier is used to find the comment to update on
           # subsequent runs
           echo '<!-- generated-comment ecosystem -->' >> comment.txt