claude-code-action

anthropics/claude-code-action

Fork 0

mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 22:44:13 +08:00

Commit Graph

Author	SHA1	Message	Date
Ashwin Bhat	964b8355fb	fix: use original title from webhook payload instead of fetched title (#793 ) * fix: use original title from webhook payload instead of fetched title - Add extractOriginalTitle() helper to extract title from webhook payload - Add originalTitle parameter to fetchGitHubData() - Update tag mode to pass original title from webhook context - Add tests for extractOriginalTitle and originalTitle parameter This ensures the title used in prompts is the one that existed when the trigger event occurred, rather than a potentially modified title fetched later via GraphQL. * fix: add title sanitization and explicit TOCTOU test - Apply sanitizeContent() to titles in formatContext() for defense-in-depth - Add explicit test documenting TOCTOU prevention for title handling	2026-01-07 23:45:12 +05:30
Ashwin Bhat	6337623ebb	fix: prevent TOCTOU race condition on issue/PR body edits (#710 ) Add trigger-time validation for issue/PR body content to prevent attackers from exploiting a race condition where they edit the body between when an authorized user triggers @claude and when Claude processes the request. The existing filterCommentsToTriggerTime() already protected comments - this extends the same pattern to the main issue/PR body via isBodySafeToUse(). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>	2025-12-01 07:59:39 -08:00
Ashwin Bhat	a6888c03f2	feat: add time-based comment filtering to tag mode (#512 ) Implement time-based filtering for GitHub comments and reviews to prevent malicious actors from editing existing comments after Claude is triggered to inject harmful content. Changes: - Add updatedAt and lastEditedAt fields to GraphQL queries - Update GitHubComment and GitHubReview types with timestamp fields - Implement filterCommentsToTriggerTime() and filterReviewsToTriggerTime() - Add extractTriggerTimestamp() to extract trigger time from webhooks - Update tag and review modes to pass trigger timestamp to data fetcher Security benefits: - Prevents comment injection attacks via post-trigger edits - Maintains chronological integrity of conversation context - Ensures only comments in their final state before trigger are processed - Backward compatible with graceful degradation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>	2025-08-29 09:49:08 -07:00

Author

SHA1

Message

Date

Ashwin Bhat

964b8355fb

fix: use original title from webhook payload instead of fetched title (#793 )

* fix: use original title from webhook payload instead of fetched title

- Add extractOriginalTitle() helper to extract title from webhook payload
- Add originalTitle parameter to fetchGitHubData()
- Update tag mode to pass original title from webhook context
- Add tests for extractOriginalTitle and originalTitle parameter

This ensures the title used in prompts is the one that existed when the
trigger event occurred, rather than a potentially modified title fetched
later via GraphQL.

* fix: add title sanitization and explicit TOCTOU test

- Apply sanitizeContent() to titles in formatContext() for defense-in-depth
- Add explicit test documenting TOCTOU prevention for title handling

2026-01-07 23:45:12 +05:30

Ashwin Bhat

6337623ebb

fix: prevent TOCTOU race condition on issue/PR body edits (#710 )

Add trigger-time validation for issue/PR body content to prevent attackers
from exploiting a race condition where they edit the body between when an
authorized user triggers @claude and when Claude processes the request.

The existing filterCommentsToTriggerTime() already protected comments -
this extends the same pattern to the main issue/PR body via isBodySafeToUse().

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

2025-12-01 07:59:39 -08:00

Ashwin Bhat

a6888c03f2

feat: add time-based comment filtering to tag mode (#512 )

Implement time-based filtering for GitHub comments and reviews to prevent
malicious actors from editing existing comments after Claude is triggered
to inject harmful content.

Changes:
- Add updatedAt and lastEditedAt fields to GraphQL queries
- Update GitHubComment and GitHubReview types with timestamp fields
- Implement filterCommentsToTriggerTime() and filterReviewsToTriggerTime()
- Add extractTriggerTimestamp() to extract trigger time from webhooks
- Update tag and review modes to pass trigger timestamp to data fetcher

Security benefits:
- Prevents comment injection attacks via post-trigger edits
- Maintains chronological integrity of conversation context
- Ensures only comments in their final state before trigger are processed
- Backward compatible with graceful degradation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>

2025-08-29 09:49:08 -07:00

3 Commits