anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: require explicit acknowledgment for wildcard write permission bypass

Browse Source 
SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity)

The allowed_non_write_users='*' configuration previously bypassed write
permission checks for all users with only a warning. This created a
security misconfiguration risk.

Changes:
- Added new input 'bypass_write_permission_check_acknowledgment' required
  when using wildcard (*)
- Modified checkWritePermissions() to throw error if wildcard used without
  explicit acknowledgment flag
- Updated all documentation (security.md, usage.md) with new requirement
- Updated example workflows to include acknowledgment flag
- Added tests for new validation behavior

This prevents accidental security misconfigurations while maintaining the
feature for intentional use cases like issue triage workflows.

Affected file: src/github/validation/permissions.ts:27
Category: authorization_bypass
Severity: LOW
This commit is contained in:
Claude
2026-01-13 23:29:39 +00:00
parent 4778aeae4c
commit 0085208689
15 changed files with 89 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
test/permissions.test.ts
View File

@@ -73,6 +73,7 @@ describe("checkWritePermissions", () => {
botName: CLAUDE_BOT_LOGIN,
allowedBots: "",
allowedNonWriteUsers: "",
bypassWritePermissionCheckAcknowledgment: false,
trackProgress: false,
includeFixLinks: true,
},
@@ -197,7 +198,7 @@ describe("checkWritePermissions", () => {
);
});
test("should bypass permission check for all users with wildcard", async () => {
test("should bypass permission check for all users with wildcard when acknowledgment provided", async () => {
const mockOctokit = createMockOctokit("read");
const context = createContext();
@@ -206,6 +207,7 @@ describe("checkWritePermissions", () => {
context,
"*",
true,
true, // acknowledgment provided
);
expect(result).toBe(true);
@@ -214,6 +216,17 @@ describe("checkWritePermissions", () => {
);
});
test("should FAIL to bypass permission check with wildcard when acknowledgment NOT provided", async () => {
const mockOctokit = createMockOctokit("read");
const context = createContext();
await expect(
checkWritePermissions(mockOctokit, context, "*", true, false),
).rejects.toThrow(
"Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment",
);
});
test("should NOT bypass permission check when user not in allowed list", async () => {
const mockOctokit = createMockOctokit("read");
const context = createContext();