Hacker News new | past | comments | ask | show | jobs | submit login

I theorized about this vulnerability a while back when I noticed new commits didn't disable automerging. This is an insane default from GH.

EDIT: seems GitHub has finally noticed (or started to care); just went to test this and auto merge has been seemingly disabled sitewide. Even though the setting is enabled, no option to automerge PRs shows up.

Seems I was right to worry!

EDIT2: We just tested this on GitLab's CI since they also have an auto-merge function and it appears they've done things correctly. Auto-merge enablement is only valid for the commit for which it was enabled; new pushes disable auto-merge. Much more sensible and secure.




GitLab has had this behaviour (disable auto-merge when new commits are pushed) since long before GitHub even had auto-merge.

It’s such an obvious attack vector, I’m pretty sure I tested GitLab soon after the feature initially rolled out.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: