fix: security test

[4bg0P]

This MR aims to test a security vulnerability

[4bg0P]

Hey @m4rii0,

I hope you are doing good! Following my last merged MR, I am considered as a contributor of the repository. I'm now able to run any "pull_request" trigger of the repository without any review from other contributors or maintainers.

To be 100% transparent, I'm part of the Inditex bug bounty program and I wanted to test if I was able to retrieve the SONAR_TOKEN secret from this repository (and I failed).

The PR-verify GitHub action (https://github.com/InditexTech/gh-sherpa/blob/main/.github/workflows/PR-verify.yml) is dangerous, as it's checking-out the code of the pull-request and then execute the make verify command.
As the workflow checks-out the code of the pull-request, the author of the pull-request can modify Makefile to make the make verify execute any attacker controlled command.
I've achieved it, and tried to retrieve the SONAR_TOKEN secret, but it was only available in the sonar-related step.

I'm not writing a bug bounty report out-of-it as the impact is low and not explicitly in-scope, but I still thought you should be aware of it.

Have a great day,
Théo

[danielfn]

Hi @4bg0P,

As @m4rii0 said in the other PR, good catch, again ;)

Due to the workflow design, the `make verify' should not have access to any exposed secrets in the workflow, but you are right that we still need to have tighter control over what can be run in it. Also, as of this moment, we are changing our policy for running fork pull request workflows from contributors to require approval for all external contributions, not just first-time contributors. Thanks for your suggestions!