←back to thread

Google flags Immich sites as dangerous

(immich.app)
742 points janpio | 2 comments | 22 Oct 25 20:53 UTC | HN request time: 0.417s | source
Show context
kevinsundar ◴[22 Oct 25 23:07 UTC] No.45676293[source]
This may not be a huge issue depending on mitigating controls but are they saying that anyone can submit a PR (containing anything) to Immich, tag the pr with `preview` and have the contents of that PR hosted on https://pr-<num>.preview.internal.immich.cloud?

Doesn't that effectively let anyone host anything there?

replies(4): >>45676432 #>>45676486 #>>45678610 #>>45679187 #
1. daemonologist ◴[22 Oct 25 23:31 UTC] No.45676486[source]
I think only collaborators can add labels on github, so not quite. Does seem a bit hazardous though (you could submit a legit PR, get the label, and then commit whatever you want?).
replies(1): >>45676878 #
2. ajross ◴[23 Oct 25 00:32 UTC] No.45676878[source]
Exposure also extends not just to the owner of the PR but anyone with write access to the branch from which it was submitted. GitHub pushes are ssh-authenticated and often automated in many workflows.