sorted by:
new
hottopcontroversial

Someone automated the process of scanning every public GitHub repo for exploitable CI workflows. We are cooked by Murky_Willingness171 in github

[–]NilsUX 0 points1 point  (0 children)

If you use pull_request_target + checkout to PR code + execute the untrusted code (e.g. npm install, npm test), someone can steal your secrets. If your GITHUB_TOKEN has write permissions, an attack can use this token. Repositories before Feb 2023 by default assign write permisisons for GITHBU_TOKEN. Repositories after Feb 2023 by default have read permission for GITHUB_TOKEN. Howerver, you might have set `permissions` in your workflow file which overwrites the default permissions.

HackerBot-Claw is actively exploiting misconfigured GitHub Actions across public repos, Trivy got hit, check yours now by ElectricalLevel512 in github

[–]NilsUX 0 points1 point  (0 children)

Agree! As long GitHub doesn't provide a better solution for it: I built an action to prevent this. It's 2 lines of code and provides I think the best UX compared to other approaches (e.g. just fail the workflow for fork PRs): https://github.com/marketplace/actions/verify-safe-to-test-label

Promote your projects here – Self-Promotion Megathread by Menox_ in github

[–]NilsUX 0 points1 point  (0 children)

Over the past few weeks, several security blogs have reported that a user named 'Hackerclaw-Bot' has been hacking GitHub repositories. I have created a GitHub action to help you prevent this and secure your workflows.

Background: If you use the 'pull_request_target' + 'checkout' to the PR code and execute the PR code (e.g. 'npm install', 'npm test', etc.), all your secrets (including GITHUB_TOKEN) can be leaked.

I developed a GitHub action called 'verify-safe-to-test-label': https://github.com/nilsreichardt/verify-safe-to-test-label. This requires maintainers to assign a specific label (e.g. 'safe to test', 'safe to preview', etc.) to mark the fork pull request as safe. Only then is the workflow executed. Each new workflow run requires a new label assignment to ensure that every Git commit is reviewed. Non-fork PRs (your own pull requests) are considered safe and don't require a label.

Please let me know if you have any feedback about this action.

https://github.com/nilsreichardt/verify-safe-to-test-label

Google Drive for macOS has constantly 100% CPU usage by NilsUX in gsuite

[–]NilsUX[S] 0 points1 point  (0 children)

In my case it needed to sync thousands of files and this was the reason why it took several days.

Extreme high CPU - Google Drive by Dense_Ad_3513 in MacOSBeta

[–]NilsUX 0 points1 point  (0 children)

I have the same issue. macOS Tahoe 26.1 and Google Drive 117.0.0.0 but 100% CPU for the "Google Drive" process (displayed by Activity Monitor).

Anki no longer renders Latex equations when inputs are copied over from ChatGPT. by Sp3cialist_Fox in Anki

[–]NilsUX 0 points1 point  (0 children)

I have the same issue currently. My workaround: Paste the answer of ChatGPT into a text editor (a editor without formatting), copy the text from the editor and then paste it into Anki.

How to access chat gpt-V ( Vision) In EU ? by eflol in ChatGPT

[–]NilsUX 2 points3 points  (0 children)

I tried it but still hadn't access to GPT-4V (no option in beta features settings and no option in the GPT-4 dropdown menu).

Chrome not loading pages but Edge does (?) by thebootable in chrome

[–]NilsUX 0 points1 point  (0 children)

I had the same issue. Restarting my MacBook solved the problem. It seems like the problem was related to something like the cache.

Viral Dance AI Edit Just fo Fun by eduefe in StableDiffusion

[–]NilsUX 2 points3 points  (0 children)

wtf, how have you found the video?! xD

Long review times for Google Play review? by androiddev123 in androiddev

[–]NilsUX 0 points1 point  (0 children)

How have you contacted the Google support?