1. 48
  1.  

  2. 7

    Excellent article

    To get the collision to affect anything on GitHub, I needed to push it to the actions/docker repo. This posed a problem, because I didn’t have write access to the actions/docker repo. However, I realized I could get around that issue by forking the actions/docker repo and pushing a commit to my fork (since GitHub shares commits between forks and parent repositories).

    I wonder if other third party systems (the likes of composer, npm etc.) could be vulnerable if they’re (ab)using shorthashes rather than the entire hash

    1. 1

      Nice writeup :)

      1. 1