Discovered during PR #1040 / v4.4.43 (merge-guard auth-symmetry, #1031/#1032).
Problem
The merge-guard binding model is (operation, target) — e.g. (merge, 1040). The extractor drops dash-flags when finding the PR positional (merge_guard_common.py, ~L303). So an approved gh pr merge 1040 and an executed gh pr merge 1040 --admin bind to the same (merge, 1040) — the --admin flag (which bypasses branch protection) rides past the guard undetected.
Same integrity-of-binding class as #1032 (approved-command == executed-command), but for privileged flags rather than op/target.
Proposed direction
Extend the binding to a small denylist of consequential flags (--admin, force variants, possibly --delete-branch): such a flag must be present in the approved option to be permitted in the executed command, else refuse. Touches merge_guard_common + both hooks + tests + security/architect re-review.
Related
multiSelect bundles are currently refused as a mint source (security-safe); revisit if privileged-flag approval ever needs multiSelect.
Severity: security hardening (narrow privilege-escalation-past-approval for a user who already has admin).
Discovered during PR #1040 / v4.4.43 (merge-guard auth-symmetry, #1031/#1032).
Problem
The merge-guard binding model is
(operation, target)— e.g.(merge, 1040). The extractor drops dash-flags when finding the PR positional (merge_guard_common.py, ~L303). So an approvedgh pr merge 1040and an executedgh pr merge 1040 --adminbind to the same(merge, 1040)— the--adminflag (which bypasses branch protection) rides past the guard undetected.Same integrity-of-binding class as #1032 (approved-command == executed-command), but for privileged flags rather than op/target.
Proposed direction
Extend the binding to a small denylist of consequential flags (
--admin, force variants, possibly--delete-branch): such a flag must be present in the approved option to be permitted in the executed command, else refuse. Touchesmerge_guard_common+ both hooks + tests + security/architect re-review.Related
multiSelect bundles are currently refused as a mint source (security-safe); revisit if privileged-flag approval ever needs multiSelect.
Severity: security hardening (narrow privilege-escalation-past-approval for a user who already has admin).