claude-code-action

anthropics/claude-code-action

Fork 0

mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00

Commit Graph

Author	SHA1	Message	Date
Claude	0085208689	fix: require explicit acknowledgment for wildcard write permission bypass SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity) The allowed_non_write_users='' configuration previously bypassed write permission checks for all users with only a warning. This created a security misconfiguration risk. Changes: - Added new input 'bypass_write_permission_check_acknowledgment' required when using wildcard () - Modified checkWritePermissions() to throw error if wildcard used without explicit acknowledgment flag - Updated all documentation (security.md, usage.md) with new requirement - Updated example workflows to include acknowledgment flag - Added tests for new validation behavior This prevents accidental security misconfigurations while maintaining the feature for intentional use cases like issue triage workflows. Affected file: src/github/validation/permissions.ts:27 Category: authorization_bypass Severity: LOW	2026-01-13 23:29:39 +00:00
Ashwin Bhat	69dec299f8	feat: add allowed_non_write_users input to bypass permission checks (#550 ) * chore: bump Claude Code version to 1.0.108 * triage fix --------- Co-authored-by: GitHub Actions <actions@github.com>	2025-09-07 14:20:02 -07:00

Author

SHA1

Message

Date

Claude

0085208689

fix: require explicit acknowledgment for wildcard write permission bypass

SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity)

The allowed_non_write_users='*' configuration previously bypassed write
permission checks for all users with only a warning. This created a
security misconfiguration risk.

Changes:
- Added new input 'bypass_write_permission_check_acknowledgment' required
  when using wildcard (*)
- Modified checkWritePermissions() to throw error if wildcard used without
  explicit acknowledgment flag
- Updated all documentation (security.md, usage.md) with new requirement
- Updated example workflows to include acknowledgment flag
- Added tests for new validation behavior

This prevents accidental security misconfigurations while maintaining the
feature for intentional use cases like issue triage workflows.

Affected file: src/github/validation/permissions.ts:27
Category: authorization_bypass
Severity: LOW

2026-01-13 23:29:39 +00:00

Ashwin Bhat

69dec299f8

feat: add allowed_non_write_users input to bypass permission checks (#550 )

* chore: bump Claude Code version to 1.0.108

* triage fix

---------

Co-authored-by: GitHub Actions <actions@github.com>

2025-09-07 14:20:02 -07:00

2 Commits