Potential security-relevant patterns noticed in mass-cloud/mass (public repo) #211
Description
Hi Massdriver Team,
I was reviewing a few public OpenTofu/IaC-related repositories as part of some offline security tooling experiments, and I took a look at mass-cloud/mass.
A few patterns came up that might be worth a closer review, for example:
- usage of
text/templatein a way that could become an XSS surface depending on how output is handled - a deserialization/data-handling path in
pkg/files/files.gothat may deserve an extra safety check - some CI/workflow supply-chain hardening opportunities in GitHub Actions
I’m not sure if these are already known or mitigated internally, but I wanted to flag them responsibly since the project is public and widely used.
If it’s useful, I can share the full structured report (HTML/JSON) privately with the appropriate maintainer or security contact.
Thanks for your time, and happy to provide details.