fix: require explicit acknowledgment for wildcard write permission bypass

SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity) The allowed_non_write_users='*' configuration previously bypassed write permission checks for all users with only a warning. This created a security misconfiguration risk. Changes: - Added new input 'bypass_write_permission_check_acknowledgment' required when using wildcard (*) - Modified checkWritePermissions() to throw error if wildcard used without explicit acknowledgment flag - Updated all documentation (security.md, usage.md) with new requirement - Updated example workflows to include acknowledgment flag - Added tests for new validation behavior This prevents accidental security misconfigurations while maintaining the feature for intentional use cases like issue triage workflows. Affected file: src/github/validation/permissions.ts:27 Category: authorization_bypass Severity: LOW
2026-01-22 22:44:13 +08:00 · 2026-01-13 23:29:39 +00:00
parent 4778aeae4c
commit 0085208689
15 changed files with 89 additions and 69 deletions
--- a/.claude/commands/label-issue.md
+++ b/.claude/commands/label-issue.md
@@ -17,7 +17,6 @@ TASK OVERVIEW:
 1. First, fetch the list of labels available in this repository by running: `gh label list`. Run exactly this command with nothing else.
 2. Next, use gh commands to get context about the issue:
   - Use `gh issue view ${{ github.event.issue.number }}` to retrieve the current issue's details
   - Use `gh search issues` to find similar issues that might provide context for proper categorization
   - You have access to these Bash commands:
@@ -27,7 +26,6 @@ TASK OVERVIEW:
     - Bash(gh search:\*) - to search for similar issues
 3. Analyze the issue content, considering:
   - The issue title and description
   - The type of issue (bug report, feature request, question, etc.)
   - Technical areas mentioned
@@ -36,7 +34,6 @@ TASK OVERVIEW:
   - Components affected
 4. Select appropriate labels from the available labels list provided above:
   - Choose labels that accurately reflect the issue's nature
   - Be specific but comprehensive
   - IMPORTANT: Add a priority label (P1, P2, or P3) based on the label descriptions from gh label list
--- a/.github/workflows/issue-triage.yml
+++ b/.github/workflows/issue-triage.yml
@@ -24,4 +24,5 @@ jobs:
          prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER${{ github.event.issue.number }}"
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
          bypass_write_permission_check_acknowledgment: true # Required when using wildcard
          github_token: ${{ secrets.GITHUB_TOKEN }}
--- a/action.yml
+++ b/action.yml
@@ -35,6 +35,10 @@ inputs:
    description: "Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. Only works when github_token input is provided. WARNING: Use with extreme caution - this bypasses security checks and should only be used for workflows with very limited permissions (e.g., issue labeling)."
    required: false
    default: ""
  bypass_write_permission_check_acknowledgment:
    description: "REQUIRED when using allowed_non_write_users='*'. Set to 'true' to explicitly acknowledge the security implications of bypassing write permission checks for all users. This flag serves as a safeguard against accidental security misconfigurations."
    required: false
    default: "false"
  # Claude Code configuration
  prompt:
@@ -186,6 +190,7 @@ runs:
        OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
        ALLOWED_BOTS: ${{ inputs.allowed_bots }}
        ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
        BYPASS_WRITE_PERMISSION_CHECK_ACKNOWLEDGMENT: ${{ inputs.bypass_write_permission_check_acknowledgment }}
        GITHUB_RUN_ID: ${{ github.run_id }}
        USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
        DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
--- a/base-action/CONTRIBUTING.md
+++ b/base-action/CONTRIBUTING.md
@@ -57,7 +57,6 @@ Thank you for your interest in contributing to Claude Code Base Action! This doc
   ```
   This script:
   - Installs `act` if not present (requires Homebrew on macOS)
   - Runs the GitHub Action workflow locally using Docker
   - Requires your `ANTHROPIC_API_KEY` to be set
--- a/base-action/README.md
+++ b/base-action/README.md
@@ -86,7 +86,7 @@ Add the following to your workflow file:
 ## Inputs
 | Input                     | Description                                                                                                            | Required | Default                      |
-| ------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
+| ------------------------- | ---------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
 | `prompt`                  | The prompt to send to Claude Code                                                                                      | No\*     | ''                           |
 | `prompt_file`             | Path to a file containing the prompt to send to Claude Code                                                            | No\*     | ''                           |
 | `allowed_tools`           | Comma-separated list of allowed tools for Claude Code to use                                                           | No       | ''                           |
@@ -490,7 +490,6 @@ This example shows how to use OIDC authentication with GCP Vertex AI:
 To securely use your Anthropic API key:
 1. Add your API key as a repository secret:
   - Go to your repository's Settings
   - Navigate to "Secrets and variables" → "Actions"
   - Click "New repository secret"
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -116,7 +116,6 @@ The `additional_permissions` input allows Claude to access GitHub Actions workfl
 To allow Claude to view workflow run results, job logs, and CI status:
 1. **Grant the necessary permission to your GitHub token**:
   - When using the default `GITHUB_TOKEN`, add the `actions: read` permission to your workflow:
   ```yaml
--- a/docs/migration-guide.md
+++ b/docs/migration-guide.md
@@ -228,12 +228,10 @@ jobs:
 The action now automatically detects the appropriate mode:
 1. **If `prompt` is provided** → Runs in **automation mode**
   - Executes immediately without waiting for @claude mentions
   - Perfect for scheduled tasks, PR automation, etc.
 2. **If no `prompt` but @claude is mentioned** → Runs in **interactive mode**
   - Waits for and responds to @claude mentions
   - Creates tracking comments with progress
--- a/docs/security.md
+++ b/docs/security.md
@@ -7,6 +7,7 @@
 - **⚠️ Non-Write User Access (RISKY)**: The `allowed_non_write_users` parameter allows bypassing the write permission requirement. **This is a significant security risk and should only be used for workflows with extremely limited permissions** (e.g., issue labeling workflows that only have `issues: write` permission). This feature:
  - Only works when `github_token` is provided as input (not with GitHub App authentication)
  - Accepts either a comma-separated list of specific usernames or `*` to allow all users
  - **When using the wildcard (`*`)**, you MUST also set `bypass_write_permission_check_acknowledgment: true` to explicitly acknowledge the security implications. Without this flag, the action will fail as a safeguard against accidental security misconfigurations
  - **Should be used with extreme caution** as it bypasses the primary security mechanism of this action
  - Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope
 - **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
@@ -75,14 +76,12 @@ Commits will show as verified and attributed to the GitHub account that owns the
   ```
 2. Add the **public key** to your GitHub account:
   - Go to GitHub → Settings → SSH and GPG keys
   - Click "New SSH key"
   - Select **Key type: Signing Key** (important)
   - Paste the contents of `~/.ssh/signing_key.pub`
 3. Add the **private key** to your repository secrets:
   - Go to your repo → Settings → Secrets and variables → Actions
   - Create a new secret named `SSH_SIGNING_KEY`
   - Paste the contents of `~/.ssh/signing_key`
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -31,27 +31,23 @@ The fastest way to create a custom GitHub App is using our pre-configured manife
   **🚀 [Download the Quick Setup Tool](./create-app.html)** (Right-click → "Save Link As" or "Download Linked File")
   After downloading, open `create-app.html` in your web browser:
   - **For Personal Accounts:** Click the "Create App for Personal Account" button
   - **For Organizations:** Enter your organization name and click "Create App for Organization"
   The tool will automatically configure all required permissions and submit the manifest.
   Alternatively, you can use the manifest file directly:
   - Use the [`github-app-manifest.json`](../github-app-manifest.json) file from this repository
   - Visit https://github.com/settings/apps/new (for personal) or your organization's app settings
   - Look for the "Create from manifest" option and paste the JSON content
 2. **Complete the creation flow:**
   - GitHub will show you a preview of the app configuration
   - Confirm the app name (you can customize it)
   - Click "Create GitHub App"
   - The app will be created with all required permissions automatically configured
 3. **Generate and download a private key:**
   - After creating the app, you'll be redirected to the app settings
   - Scroll down to "Private keys"
   - Click "Generate a private key"
@@ -64,7 +60,6 @@ The fastest way to create a custom GitHub App is using our pre-configured manife
 If you prefer to configure the app manually or need custom permissions:
 1. **Create a new GitHub App:**
   - Go to https://github.com/settings/apps (for personal apps) or your organization's settings
   - Click "New GitHub App"
   - Configure the app with these minimum permissions:
@@ -77,19 +72,16 @@ If you prefer to configure the app manually or need custom permissions:
   - Create the app
 2. **Generate and download a private key:**
   - After creating the app, scroll down to "Private keys"
   - Click "Generate a private key"
   - Download the `.pem` file (keep this secure!)
 3. **Install the app on your repository:**
   - Go to the app's settings page
   - Click "Install App"
   - Select the repositories where you want to use Claude
 4. **Add the app credentials to your repository secrets:**
   - Go to your repository's Settings → Secrets and variables → Actions
   - Add these secrets:
     - `APP_ID`: Your GitHub App's ID (found in the app settings)
@@ -138,7 +130,6 @@ For more information on creating GitHub Apps, see the [GitHub documentation](htt
 To securely use your Anthropic API key:
 1. Add your API key as a repository secret:
   - Go to your repository's Settings
   - Navigate to "Secrets and variables" → "Actions"
   - Click "New repository secret"
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -53,7 +53,7 @@ jobs:
 ## Inputs
 | Input                                          | Description                                                                                                                                                                            | Required | Default       |
-| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
 | `anthropic_api_key`                            | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                                                                                             | No\*     | -             |
 | `claude_code_oauth_token`                      | Claude Code OAuth token (alternative to anthropic_api_key)                                                                                                                             | No\*     | -             |
 | `prompt`                                       | Instructions for Claude. Can be a direct prompt or custom template for automation workflows                                                                                            | No       | -             |
@@ -77,6 +77,7 @@ jobs:
 | `bot_name`                                     | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits                                                        | No       | `claude[bot]` |
 | `allowed_bots`                                 | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots                                                                        | No       | ""            |
 | `allowed_non_write_users`                      | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)         | No       | ""            |
 | `bypass_write_permission_check_acknowledgment` | **REQUIRED** when using `allowed_non_write_users='*'`. Set to `true` to explicitly acknowledge security implications. Prevents accidental security misconfigurations                   | No       | `false`       |
 | `path_to_claude_code_executable`               | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments                                         | No       | ""            |
 | `path_to_bun_executable`                       | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments                                             | No       | ""            |
 | `plugin_marketplaces`                          | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation             | No       | ""            |
--- a/examples/issue-triage.yml
+++ b/examples/issue-triage.yml
@@ -26,4 +26,5 @@ jobs:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
          bypass_write_permission_check_acknowledgment: true # Required when using wildcard
          github_token: ${{ secrets.GITHUB_TOKEN }}
--- a/src/entrypoints/prepare.ts
+++ b/src/entrypoints/prepare.ts
@@ -37,6 +37,7 @@ async function run() {
        context,
        context.inputs.allowedNonWriteUsers,
        githubTokenProvided,
        context.inputs.bypassWritePermissionCheckAcknowledgment,
      );
      if (!hasWritePermissions) {
        throw new Error(
--- a/src/github/context.ts
+++ b/src/github/context.ts
@@ -96,6 +96,7 @@ type BaseContext = {
    botName: string;
    allowedBots: string;
    allowedNonWriteUsers: string;
    bypassWritePermissionCheckAcknowledgment: boolean;
    trackProgress: boolean;
    includeFixLinks: boolean;
  };
@@ -154,6 +155,8 @@ export function parseGitHubContext(): GitHubContext {
      botName: process.env.BOT_NAME ?? CLAUDE_BOT_LOGIN,
      allowedBots: process.env.ALLOWED_BOTS ?? "",
      allowedNonWriteUsers: process.env.ALLOWED_NON_WRITE_USERS ?? "",
      bypassWritePermissionCheckAcknowledgment:
        process.env.BYPASS_WRITE_PERMISSION_CHECK_ACKNOWLEDGMENT === "true",
      trackProgress: process.env.TRACK_PROGRESS === "true",
      includeFixLinks: process.env.INCLUDE_FIX_LINKS === "true",
    },
--- a/src/github/validation/permissions.ts
+++ b/src/github/validation/permissions.ts
@@ -8,6 +8,7 @@ import type { Octokit } from "@octokit/rest";
 * @param context - The GitHub context
 * @param allowedNonWriteUsers - Comma-separated list of users allowed without write permissions, or '*' for all
 * @param githubTokenProvided - Whether github_token was provided as input (not from app)
 * @param bypassAcknowledgment - Explicit acknowledgment required when using wildcard (*)
 * @returns true if the actor has write permissions, false otherwise
 */
 export async function checkWritePermissions(
@@ -15,6 +16,7 @@ export async function checkWritePermissions(
  context: ParsedGitHubContext,
  allowedNonWriteUsers?: string,
  githubTokenProvided?: boolean,
  bypassAcknowledgment?: boolean,
 ): Promise<boolean> {
  const { repository, actor } = context;
@@ -25,6 +27,17 @@ export async function checkWritePermissions(
    if (allowedNonWriteUsers && githubTokenProvided) {
      const allowedUsers = allowedNonWriteUsers.trim();
      if (allowedUsers === "*") {
        if (!bypassAcknowledgment) {
          core.error(
            `❌ SECURITY ERROR: Attempting to bypass write permission checks for all users with allowed_non_write_users='*' without explicit acknowledgment. ` +
              `This is a critical security misconfiguration. To proceed, you must set bypass_write_permission_check_acknowledgment='true' ` +
              `to explicitly acknowledge the security implications.`,
          );
          throw new Error(
            "Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment. " +
              "Set bypass_write_permission_check_acknowledgment='true' to acknowledge security implications.",
          );
        }
        core.warning(
          `⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.`,
        );
--- a/test/permissions.test.ts
+++ b/test/permissions.test.ts
@@ -73,6 +73,7 @@ describe("checkWritePermissions", () => {
      botName: CLAUDE_BOT_LOGIN,
      allowedBots: "",
      allowedNonWriteUsers: "",
      bypassWritePermissionCheckAcknowledgment: false,
      trackProgress: false,
      includeFixLinks: true,
    },
@@ -197,7 +198,7 @@ describe("checkWritePermissions", () => {
      );
    });
-    test("should bypass permission check for all users with wildcard", async () => {
+    test("should bypass permission check for all users with wildcard when acknowledgment provided", async () => {
      const mockOctokit = createMockOctokit("read");
      const context = createContext();
@@ -206,6 +207,7 @@ describe("checkWritePermissions", () => {
        context,
        "*",
        true,
        true, // acknowledgment provided
      );
      expect(result).toBe(true);
@@ -214,6 +216,17 @@ describe("checkWritePermissions", () => {
      );
    });
    test("should FAIL to bypass permission check with wildcard when acknowledgment NOT provided", async () => {
      const mockOctokit = createMockOctokit("read");
      const context = createContext();
      await expect(
        checkWritePermissions(mockOctokit, context, "*", true, false),
      ).rejects.toThrow(
        "Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment",
      );
    });
    test("should NOT bypass permission check when user not in allowed list", async () => {
      const mockOctokit = createMockOctokit("read");
      const context = createContext();