fix: Remove pull_request_target code checkout vulnerability#694
fix: Remove pull_request_target code checkout vulnerability#694fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
Conversation
This fixes a security vulnerability (VULN-1426 / ENG-7271) where the workflow was checking out untrusted PR code in a pull_request_target context, which could allow malicious PRs to exfiltrate repository secrets via modified dependencies or build scripts. The workflow now requires manual review for fork PRs instead of automatically running untrusted code with access to secrets. References: - Parent ticket: https://linear.app/getsentry/issue/VULN-1426 - Child ticket: https://linear.app/getsentry/issue/ENG-7271 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Semver Impact of This PR🟢 Patch (bug fixes) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Bug Fixes 🐛
Internal Changes 🔧
🤖 This preview updates automatically when you update the PR. |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| SHA="${{ github.event.pull_request.head.sha }}" | ||
| if [[ "${{ steps.eval.outcome }}" == "success" ]]; then | ||
| STATE="success" | ||
| DESC="Skill eval passed" | ||
| else | ||
| STATE="failure" | ||
| DESC="Skill eval failed" | ||
| fi | ||
| gh api "repos/${{ github.repository }}/statuses/$SHA" \ | ||
| -f state="$STATE" \ | ||
| -f state="pending" \ |
There was a problem hiding this comment.
Bug: The workflow sets the eval-skill/fork commit status to pending, but the main CI requires success, permanently blocking fork PRs that modify skill files from passing checks.
Severity: HIGH
Suggested Fix
Update the workflow to allow a maintainer's action, such as adding the eval-skill-passed label, to trigger an update that sets the eval-skill/fork commit status to success. This will unblock the CI check in ci.yml after a maintainer has manually approved the skill evaluation.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/eval-skill-fork.yml#L43-L47
Potential issue: The `ci.yml` workflow requires the `eval-skill/fork` commit status to
be `success` for fork PRs that modify skill files. However, the new
`eval-skill-fork.yml` workflow hardcodes this status to `pending`. The instructions for
maintainers mention adding a label (`eval-skill-passed`) after manual review, but the CI
check does not look for this label. Because there is no mechanism to update the commit
status to `success`, any fork PR modifying skill files will be permanently blocked from
passing CI checks and cannot be merged.
Did we get this right? 👍 / 👎 to inform future reviews.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Fork PR commit status permanently stuck at pending
- Added a workflow job that listens for the
eval-skill-passedlabel on fork PRs and postseval-skill/forkstatus assuccesson the PR head SHA.
- Added a workflow job that listens for the
Or push these changes by commenting:
@cursor push 49d826d89a
Preview (49d826d89a)
diff --git a/.github/workflows/eval-skill-fork.yml b/.github/workflows/eval-skill-fork.yml
--- a/.github/workflows/eval-skill-fork.yml
+++ b/.github/workflows/eval-skill-fork.yml
@@ -70,3 +70,21 @@
3. Reviewing the results and adding the \`eval-skill-passed\` label if successful
See [GitHub Security Lab: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) for more information about this security issue."
+
+ mark-manual-review-passed:
+ name: Mark fork eval as passed
+ if: >-
+ github.event.action == 'labeled'
+ && github.event.label.name == 'eval-skill-passed'
+ && github.event.pull_request.head.repo.fork == true
+ runs-on: ubuntu-latest
+ steps:
+ - name: Post success commit status
+ env:
+ GH_TOKEN: ${{ github.token }}
+ run: |
+ SHA="${{ github.event.pull_request.head.sha }}"
+ gh api "repos/${{ github.repository }}/statuses/$SHA" \
+ -f state="success" \
+ -f context="eval-skill/fork" \
+ -f description="Manual fork PR skill evaluation approved by maintainer"This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7259a84. Configure here.
| -f state="pending" \ | ||
| -f context="eval-skill/fork" \ | ||
| -f description="$DESC" | ||
| -f description="Manual review required for fork PRs (security restriction)" |
There was a problem hiding this comment.
Fork PR commit status permanently stuck at pending
High Severity
The workflow sets the eval-skill/fork commit status to "pending" but never provides a path to set it to "success". The ci.yml eval-skill job checks this status and fails if it's not "success". The comment instructs maintainers to add the eval-skill-passed label, but no workflow reacts to that label by updating the commit status. This means fork PRs that modify skill files can never pass CI — the status is permanently stuck at "pending".
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7259a84. Configure here.
|
Intentional |
1 participant
Summary
This PR fixes a high-severity security vulnerability where the
eval-skill-fork.ymlworkflow was checking out untrusted PR code in apull_request_targetcontext with access to repository secrets.Security Issue
The workflow was:
pull_request_targetcontext (has write permissions and access to secrets)ref: ${{ github.event.pull_request.head.sha }}bun install(executing potentially malicious install scripts)bun run eval:skill(executing potentially malicious code)ANTHROPIC_API_KEYsecret to the untrusted codeThis could allow a malicious PR to exfiltrate repository secrets by modifying
package.json,bun.lock, or build scripts.Fix
The workflow now:
pull_request_targetcontextImpact
Fork PRs will no longer have automated skill evaluation. Maintainers must:
bun run eval:skillwith appropriate credentialseval-skill-passedlabel manually if successfulThis is a necessary security trade-off to prevent secret exfiltration.
References
🤖 Generated with Claude Code