fix: prevent TOCTOU race condition on issue/PR body edits (#710)

Add trigger-time validation for issue/PR body content to prevent attackers from exploiting a race condition where they edit the body between when an authorized user triggers @claude and when Claude processes the request. The existing filterCommentsToTriggerTime() already protected comments - this extends the same pattern to the main issue/PR body via isBodySafeToUse(). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
2026-01-24 07:24:12 +08:00 · 2025-12-01 10:59:39 -05:00
parent 6d79044f1d
commit 6337623ebb
4 changed files with 304 additions and 5 deletions
--- a/src/github/api/queries/github.ts
+++ b/src/github/api/queries/github.ts
@@ -13,6 +13,8 @@ export const PR_QUERY = `
        headRefName
        headRefOid
        createdAt
+        updatedAt
+        lastEditedAt
        additions
        deletions
        state
@@ -96,6 +98,8 @@ export const ISSUE_QUERY = `
          login
        }
        createdAt
+        updatedAt
+        lastEditedAt
        state
        comments(first: 100) {
          nodes {