Trust only our own comments for the state marker#51
Open
Phlogistique wants to merge 2 commits into
Open
Conversation
read_state_marker accepted a marker from any comment, so anyone able to comment on a public repo could plant one; if its base matched, the resume would merge an attacker-chosen commit (fork-pushed objects are reachable by hash) into the branch and push it with the action's token. A quote-reply of an old conflict comment could likewise resurrect a stale marker, since HTML comments survive quoting and the newest marker wins. Filter the comments to viewerDidAuthor, i.e. those posted with the same token the action runs under. Also reject markers with missing fields instead of passing empty values to git: a marker missing squash= used to crash the run on update-ref and strand the PR under the label. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01JHvKryT4QUpHYdNq9YEQxX
"comments posted with our own token count" parsed as the noun phrase "token count". Also viewerDidAuthor matches the token's identity, not the token itself. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
read_state_markeraccepted a marker from any comment, so on a public repo anyone able to comment could plant one; if itsbase=matched, the resume would merge an attacker-chosen commit (fork-pushed objects are reachable by hash in the repo network) into the branch and push it with the action's token. Benign variant: a quote-reply of an old conflict comment resurrects a stale marker, since HTML comments survive quoting and the newest marker wins.Fix: filter comments to
viewerDidAuthor— those posted with the same token the action runs under — which needs no configured identity. The resume test's gh mock rejects comment queries without that filter. Caveat: if the repo switches tokens (e.g.GITHUB_TOKEN→ App) while a PR sits in conflict, the old marker is no longer "ours" and the resume takes the safe abandon path.Also rejects markers with missing fields instead of passing empty values to git (a marker missing
squash=used to crash onupdate-refand strand the PR under the label); new scenario E covers it.Stacked on #50 (same function).
🤖 Generated with Claude Code
https://claude.ai/code/session_01JHvKryT4QUpHYdNq9YEQxX
Generated by Claude Code