Skip to content

fix(security): close gh permission gaps in settings.json#89

Merged
potiuk merged 1 commit into
apache:mainfrom
andrew:fix/settings-gh-permission-gaps
May 7, 2026
Merged

fix(security): close gh permission gaps in settings.json#89
potiuk merged 1 commit into
apache:mainfrom
andrew:fix/settings-gh-permission-gaps

Conversation

@andrew

@andrew andrew commented May 7, 2026

Copy link
Copy Markdown
Contributor

Split from #88 per review.

gh auth token and gh auth refresh are added to permissions.deny. gh auth token prints the GitHub token to stdout with no prompt, so any injection that reaches Bash can capture it and exfil via the already-allowlisted api.github.com. No skill in the repo needs either command.

gh workflow run * is added to permissions.ask so an injected agent can't trigger arbitrary upstream workflows without a confirmation prompt.

Flag-first variants gh api --method * and gh api --input * are added alongside the existing gh api * --method * / gh api * --input * patterns. With the flag before the endpoint path the existing patterns may not match, depending on whether the glob * matches the empty string.

Split from apache#88 per review.

- gh auth token / gh auth refresh -> permissions.deny. gh auth token
  prints the GitHub token to stdout with no prompt, so any injection
  that reaches Bash can capture and exfil it via the
  already-allowlisted api.github.com.
- gh workflow run -> permissions.ask.
- gh api --method / gh api --input (flag-first variants) added
  alongside the existing gh api * --method * patterns so argument
  ordering can't sidestep the match.
andrew added a commit to andrew/airflow-steward that referenced this pull request May 7, 2026
…file recipe

The printf '%s' "<x>" recipe introduced in apache#81 still passes the
attacker-controlled string through a double-quoted shell argument,
so $(...), backticks and $VAR expand before printf runs. Replace
with an instruction to use the Write tool to land the bytes on
disk without shell tokenisation, then -F field=@file as before.
Applied at all six recipe sites across the three import skills
and at Patterns 1 and 3 of the write-skill checklist so future
skills inherit the corrected form.

settings.json permission additions split to apache#89 per review.
@andrew andrew marked this pull request as ready for review May 7, 2026 12:44
@andreahlert andreahlert added mode:cross-cutting Spans multiple modes and removed mode:cross-cutting Spans multiple modes labels May 7, 2026
@potiuk potiuk merged commit 742e920 into apache:main May 7, 2026
11 checks passed
potiuk pushed a commit that referenced this pull request May 7, 2026
…ecipe (#88)

The printf '%s' "<x>" recipe introduced in #81 still passes the
attacker-controlled string through a double-quoted shell argument,
so $(...), backticks and $VAR expand before printf runs. Replace
with an instruction to use the Write tool to land the bytes on
disk without shell tokenisation, then -F field=@file as before.
Applied at all six recipe sites across the three import skills
and at Patterns 1 and 3 of the write-skill checklist so future
skills inherit the corrected form.

settings.json permission additions split to #89 per review.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants