Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This may not be a huge issue depending on mitigating controls but are they saying that anyone can submit a PR (containing anything) to Immich, tag the pr with `preview` and have the contents of that PR hosted on https://pr-<num>.preview.internal.immich.cloud?

Doesn't that effectively let anyone host anything there?





I think only collaborators can add labels on github, so not quite. Does seem a bit hazardous though (you could submit a legit PR, get the label, and then commit whatever you want?).

reply


Exposure also extends not just to the owner of the PR but anyone with write access to the branch from which it was submitted. GitHub pushes are ssh-authenticated and often automated in many workflows.

reply


So basically like https://docs.google.com/ ?

reply


Yes, except on Google Docs you can't make the document steal credentials or download malware by simply clicking on the link.

It's more like sites.google.com.

reply


No, it doesn't work at all for PRs from forks.

reply


That was my first thought - have the preview URLs possibly actually been abused through GitHub?

reply


Excellent idea for cost-free phishing.

reply




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: