Merge pull request from GHSA-xf39-98m2-889v

* changing default enable and adding ui warning * fix(cve): default PR events to false for new repos and add warning message in settings * delete errant div attr
go-vela · Nov 9, 2022 · 885efce · 885efce
1 parent 1175f97
commit 885efce
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/elm.json b/elm.json
@@ -38,7 +38,7 @@
   },
   "test-dependencies": {
     "direct": {
-      "elm-explorations/test": "1.2.2"
+      "elm-explorations/test": "2.0.1"
     },
     "indirect": {}
   }

diff --git a/src/elm/Pages/RepoSettings.elm b/src/elm/Pages/RepoSettings.elm
@@ -314,6 +314,9 @@ events repo msg =
               <|
                 msg repo.org repo.name "allow_deploy"
             ]
+        , div []
+            [ pullRequestEventWarning
+            ]
         ]
 
 
@@ -448,6 +451,21 @@ limitWarning maxLimit inLimit =
             text ""
 
 
+{-| pullRequestEventWarning : renders disclaimer for pull request exposure
+-}
+pullRequestEventWarning : Html msg
+pullRequestEventWarning =
+    p [ class "notice" ]
+        [ text "Disclaimer: Vela repos do NOT have the "
+        , strong [] [ text "pull_request" ]
+        , text " event enabled by default. For all public repositories, "
+        , strong [] [ text "any user" ]
+        , text ", even outside of the organization, can open a pull request, triggering a build. "
+        , strong [] [ text "The risks from this can include: changes to the pipeline, arbitrary code execution inside your environment, and exposure of Vela-accessible secrets in your repository." ]
+        , text " You can override this behavior, at your own risk."
+        ]
+
+
 {-| timeoutInput : takes repo, user input, and button action and renders the text input for updating build timeout.
 -}
 timeoutInput : Repository -> Maybe Int -> (String -> msg) -> Html msg

diff --git a/src/elm/Vela.elm b/src/elm/Vela.elm
@@ -999,7 +999,7 @@ type alias EnableRepositoryPayload =
 
 defaultEnableRepositoryPayload : EnableRepositoryPayload
 defaultEnableRepositoryPayload =
-    EnableRepositoryPayload "" "" "" "" "" False True True True True False False False
+    EnableRepositoryPayload "" "" "" "" "" False True True False True False False False
 
 
 type alias UpdateRepositoryPayload =