Skip to content

security: --admin and other privileged flags ride past merge-guard auth binding #1042

Description

@michael-wojcik

Discovered during PR #1040 / v4.4.43 (merge-guard auth-symmetry, #1031/#1032).

Problem

The merge-guard binding model is (operation, target) — e.g. (merge, 1040). The extractor drops dash-flags when finding the PR positional (merge_guard_common.py, ~L303). So an approved gh pr merge 1040 and an executed gh pr merge 1040 --admin bind to the same (merge, 1040) — the --admin flag (which bypasses branch protection) rides past the guard undetected.

Same integrity-of-binding class as #1032 (approved-command == executed-command), but for privileged flags rather than op/target.

Proposed direction

Extend the binding to a small denylist of consequential flags (--admin, force variants, possibly --delete-branch): such a flag must be present in the approved option to be permitted in the executed command, else refuse. Touches merge_guard_common + both hooks + tests + security/architect re-review.

Related

multiSelect bundles are currently refused as a mint source (security-safe); revisit if privileged-flag approval ever needs multiSelect.

Severity: security hardening (narrow privilege-escalation-past-approval for a user who already has admin).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions