anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-23 15:04:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: anthropics:ashwin/bump-bun-to-2.1.1
Branches Tags
anthropics:main anthropics:ashwin/bump-bun-to-2.1.1 anthropics:fix-tag-sync anthropics:claude/autopatch-scan-caf54156-vuln-17-L6v6t anthropics:claude/slack-improve-autofix-suggestion-detection-jVXXD anthropics:claude/slack-add-clawd-stop-label-check-YOQgu anthropics:boris/add-push-event-support anthropics:feature/merge-prepare-and-run-steps anthropics:claude/issue-746-20251216-2049 anthropics:claude/fix-command-injection-012ini6RiyJVXxae6QfACQce anthropics:claude/slack-standardize-pr-instructions-Jpta2 anthropics:fix/installation-lock-file-cleanup anthropics:claude/fix-command-injection-01G6U5P2UUcNFSDQ5ugMJToh anthropics:claude/fix-command-injection-011p27fUErJNzJnC8F2NhDfU anthropics:claude/slack-session-01CmWq48mc2PNmbs57vtiDL8 anthropics:claude/fix-017jw8xRDW1dJWuVWmZf8L37 anthropics:claude/slack-session-01MVWPvyum9Tfs4uZKSYNwb2 anthropics:ashwin/debug-agent-sdk anthropics:ashwin/timeoutfi anthropics:inigo/structured-outputs-clean anthropics:inigo/add-structured-outputs anthropics:inigo/structured-outputs anthropics:inigo/structured-outputs-v2 anthropics:claude/slack-session-01V5yvGzTYGjKuXyrkd816Q8 anthropics:claude/slack-session-01KNnXBDe14t4FYBFYj6x6kz anthropics:claude/update-docs-claude-code-action-011CUcQCrd4gH7XpanoeKXJg anthropics:ashwin/inlines anthropics:add-plugins-input anthropics:add-claude-github-actions-1761020053046 anthropics:add-claude-github-actions-1761019930984 anthropics:claude/update-readme-011CTvTGkPpgCdDtj57GaAAk anthropics:claude/aussie-readme-011CTv66HfGaaE3LMmFM9ZtN anthropics:claude/update-readme-011CTtgkeo2Hx7eheVcEwxb4 anthropics:claude/aussie-readme-update-011CTtgCkB57KfsJ1SUWUwaj anthropics:claude/minor-update-011CTrjPp29xM3Cnbz2FLdqy anthropics:ashwin/branch-template anthropics:demo/subtle-test-issues anthropics:demo/flawed-branch-tests-fix anthropics:demo/flawed-branch-tests anthropics:ashwin/allownonwritetest anthropics:ashwin/testghe anthropics:ashwin/testcommenttime anthropics:test-ci-tools-fix-3 anthropics:test-ci-tools-fix anthropics:eap anthropics:ashwin/testfix anthropics:ashwin/rmnpmrc anthropics:v1-dev anthropics:ashwin/envlog anthropics:km-anthropic-patch-1 anthropics:test-auto-fix-trigger anthropics:ashwin/verbosedebug anthropics:test-autofix-from-scratch anthropics:test-ci-failure anthropics:ashwin/inputtest anthropics:eaptest anthropics:test-gh-comment anthropics:ashwin/v1-devtest anthropics:test-no-approval anthropics:feat/ttyd-cloudflared-tunnel-integration anthropics:ashwin/claudestep anthropics:support-bot-user anthropics:ashwin/testid anthropics:km/add-mcp-to-agent anthropics:testenvvar anthropics:km/discriminated-unions-cleanup anthropics:ashwin/examples anthropics:claude/issue-313-20250719-1530 anthropics:ashwin/modelparam anthropics:ashwin/testnetwork anthropics:ashwin/branchfix anthropics:ashwin-ant-patch-3 anthropics:ashwin/stickytest anthropics:feat-add-label-trigger anthropics:ashwin/testdynamicfetch anthropics:ashwin/multiline anthropics:claude/issue-132-20250605_170450 anthropics:update-claude-code-base-action-v0.0.10-20250605-165057 anthropics:ashwin/promptfiletest anthropics:ashwin/debug anthropics:claude/issue-122-20250604_004902 anthropics:claude/issue-125-20250604_150607 anthropics:claude/issue-123-20250604_005116 anthropics:ashwin/triagefix anthropics:update-claude-code-base-action-v0.0.9-20250603-035419 anthropics:claude/issue-101-20250531_001023 anthropics:ashwin/commenttool anthropics:claude/issue-95-20250530_142727 anthropics:claude/issue-103-20250531_051637 anthropics:ashwin-ant-patch-2 anthropics:testbranch anthropics:ashwin-ant-patch-1 anthropics:ashwin/faq anthropics:ashwin/bump anthropics:claude/issue-62-20250527_192138 anthropics:ashwin/tools anthropics:enhance-text-sanitization anthropics:ashwin/erroroutput anthropics:update-claude-code-base-action-v0.0.7-20250529-000200 anthropics:ashwin/shabump anthropics:claude/issue-49-20250527_235943 anthropics:claude/issue-52-20250526_025103 anthropics:ashwin/triage anthropics:ashwin/dsstore anthropics:ashwin/bugtemplate anthropics:ashwin/pin anthropics:ashwin/errorlogging anthropics:fix-500-error-logging anthropics:fix-mcp-undefined-error anthropics:fix-local-action-reference anthropics:update-claude-workflow-v2 anthropics:add-claude-github-actions-1747972566174 anthropics:update-to-use-model-parameter anthropics:np-anthropic-patch-1 anthropics:lina/rename-anthropic-model-to-model anthropics:lina/html_comments_strip anthropics:lina/modify-action-name anthropics:lina/modify-base-action
anthropics:v1 anthropics:v1.0.33 anthropics:v1.0.32 anthropics:v1.0.31 anthropics:v1.0.30 anthropics:v1.0.29 anthropics:v1.0.28 anthropics:v1.0.27 anthropics:v1.0.26 anthropics:v1.0.25 anthropics:v1.0.24 anthropics:v1.0.23 anthropics:v1.0.22 anthropics:v1.0.21 anthropics:v1.0.20 anthropics:v1.0.19 anthropics:v1.0.18 anthropics:v1.0.17 anthropics:v1.0.16 anthropics:v1.0.15 anthropics:v1.0.14 anthropics:v1.0.13 anthropics:v1.0.12 anthropics:v1.0.11 anthropics:v1.0.10 anthropics:v1.0.9 anthropics:v1.0.8 anthropics:v1.0.7 anthropics:v1.0.6 anthropics:v1.0.5 anthropics:v1.0.4 anthropics:v1.0.3 anthropics:v1.0.2 anthropics:v1.0.1 anthropics:v1.0.0 anthropics:v0 anthropics:v0.0.63 anthropics:beta anthropics:v0.0.62 anthropics:v0.0.61 anthropics:v0.0.60 anthropics:v0.0.59 anthropics:v0.0.58 anthropics:v0.0.57 anthropics:v0.0.56 anthropics:v0.0.55 anthropics:v0.0.54 anthropics:v0.0.53 anthropics:v0.0.52 anthropics:v0.0.51 anthropics:v0.0.50 anthropics:v0.0.49 anthropics:v0.0.48 anthropics:v0.0.47 anthropics:v0.0.46 anthropics:v0.0.45 anthropics:v0.0.44 anthropics:v0.0.43 anthropics:v0.0.42 anthropics:v0.0.41 anthropics:v0.0.40 anthropics:v0.0.39 anthropics:v0.0.38 anthropics:v0.0.37 anthropics:v0.0.36 anthropics:v0.0.35 anthropics:v0.0.34 anthropics:v0.0.33 anthropics:v0.0.32 anthropics:v0.0.31 anthropics:v0.0.30 anthropics:v0.0.29 anthropics:v0.0.28 anthropics:v0.0.27 anthropics:v0.0.26 anthropics:v0.0.25 anthropics:v0.0.24 anthropics:v0.0.23 anthropics:v0.0.22 anthropics:v0.0.21 anthropics:v0.0.20 anthropics:v0.0.19 anthropics:v0.0.18 anthropics:v0.0.17 anthropics:v0.0.16 anthropics:v0.0.15 anthropics:v0.0.14 anthropics:v0.0.13 anthropics:v0.0.12 anthropics:v0.0.11 anthropics:v0.0.10 anthropics:v0.0.9 anthropics:v0.0.8 anthropics:v0.0.7 anthropics:v0.0.6 anthropics:v0.0.5 anthropics:v0.0.4 anthropics:v0.0.3 anthropics:v0.0.2 anthropics:v0.0.1
...
compare: anthropics:claude/fix-017jw8xRDW1dJWuVWmZf8L37
Branches Tags
anthropics:main anthropics:ashwin/bump-bun-to-2.1.1 anthropics:fix-tag-sync anthropics:claude/autopatch-scan-caf54156-vuln-17-L6v6t anthropics:claude/slack-improve-autofix-suggestion-detection-jVXXD anthropics:claude/slack-add-clawd-stop-label-check-YOQgu anthropics:boris/add-push-event-support anthropics:feature/merge-prepare-and-run-steps anthropics:claude/issue-746-20251216-2049 anthropics:claude/fix-command-injection-012ini6RiyJVXxae6QfACQce anthropics:claude/slack-standardize-pr-instructions-Jpta2 anthropics:fix/installation-lock-file-cleanup anthropics:claude/fix-command-injection-01G6U5P2UUcNFSDQ5ugMJToh anthropics:claude/fix-command-injection-011p27fUErJNzJnC8F2NhDfU anthropics:claude/slack-session-01CmWq48mc2PNmbs57vtiDL8 anthropics:claude/fix-017jw8xRDW1dJWuVWmZf8L37 anthropics:claude/slack-session-01MVWPvyum9Tfs4uZKSYNwb2 anthropics:ashwin/debug-agent-sdk anthropics:ashwin/timeoutfi anthropics:inigo/structured-outputs-clean anthropics:inigo/add-structured-outputs anthropics:inigo/structured-outputs anthropics:inigo/structured-outputs-v2 anthropics:claude/slack-session-01V5yvGzTYGjKuXyrkd816Q8 anthropics:claude/slack-session-01KNnXBDe14t4FYBFYj6x6kz anthropics:claude/update-docs-claude-code-action-011CUcQCrd4gH7XpanoeKXJg anthropics:ashwin/inlines anthropics:add-plugins-input anthropics:add-claude-github-actions-1761020053046 anthropics:add-claude-github-actions-1761019930984 anthropics:claude/update-readme-011CTvTGkPpgCdDtj57GaAAk anthropics:claude/aussie-readme-011CTv66HfGaaE3LMmFM9ZtN anthropics:claude/update-readme-011CTtgkeo2Hx7eheVcEwxb4 anthropics:claude/aussie-readme-update-011CTtgCkB57KfsJ1SUWUwaj anthropics:claude/minor-update-011CTrjPp29xM3Cnbz2FLdqy anthropics:ashwin/branch-template anthropics:demo/subtle-test-issues anthropics:demo/flawed-branch-tests-fix anthropics:demo/flawed-branch-tests anthropics:ashwin/allownonwritetest anthropics:ashwin/testghe anthropics:ashwin/testcommenttime anthropics:test-ci-tools-fix-3 anthropics:test-ci-tools-fix anthropics:eap anthropics:ashwin/testfix anthropics:ashwin/rmnpmrc anthropics:v1-dev anthropics:ashwin/envlog anthropics:km-anthropic-patch-1 anthropics:test-auto-fix-trigger anthropics:ashwin/verbosedebug anthropics:test-autofix-from-scratch anthropics:test-ci-failure anthropics:ashwin/inputtest anthropics:eaptest anthropics:test-gh-comment anthropics:ashwin/v1-devtest anthropics:test-no-approval anthropics:feat/ttyd-cloudflared-tunnel-integration anthropics:ashwin/claudestep anthropics:support-bot-user anthropics:ashwin/testid anthropics:km/add-mcp-to-agent anthropics:testenvvar anthropics:km/discriminated-unions-cleanup anthropics:ashwin/examples anthropics:claude/issue-313-20250719-1530 anthropics:ashwin/modelparam anthropics:ashwin/testnetwork anthropics:ashwin/branchfix anthropics:ashwin-ant-patch-3 anthropics:ashwin/stickytest anthropics:feat-add-label-trigger anthropics:ashwin/testdynamicfetch anthropics:ashwin/multiline anthropics:claude/issue-132-20250605_170450 anthropics:update-claude-code-base-action-v0.0.10-20250605-165057 anthropics:ashwin/promptfiletest anthropics:ashwin/debug anthropics:claude/issue-122-20250604_004902 anthropics:claude/issue-125-20250604_150607 anthropics:claude/issue-123-20250604_005116 anthropics:ashwin/triagefix anthropics:update-claude-code-base-action-v0.0.9-20250603-035419 anthropics:claude/issue-101-20250531_001023 anthropics:ashwin/commenttool anthropics:claude/issue-95-20250530_142727 anthropics:claude/issue-103-20250531_051637 anthropics:ashwin-ant-patch-2 anthropics:testbranch anthropics:ashwin-ant-patch-1 anthropics:ashwin/faq anthropics:ashwin/bump anthropics:claude/issue-62-20250527_192138 anthropics:ashwin/tools anthropics:enhance-text-sanitization anthropics:ashwin/erroroutput anthropics:update-claude-code-base-action-v0.0.7-20250529-000200 anthropics:ashwin/shabump anthropics:claude/issue-49-20250527_235943 anthropics:claude/issue-52-20250526_025103 anthropics:ashwin/triage anthropics:ashwin/dsstore anthropics:ashwin/bugtemplate anthropics:ashwin/pin anthropics:ashwin/errorlogging anthropics:fix-500-error-logging anthropics:fix-mcp-undefined-error anthropics:fix-local-action-reference anthropics:update-claude-workflow-v2 anthropics:add-claude-github-actions-1747972566174 anthropics:update-to-use-model-parameter anthropics:np-anthropic-patch-1 anthropics:lina/rename-anthropic-model-to-model anthropics:lina/html_comments_strip anthropics:lina/modify-action-name anthropics:lina/modify-base-action
anthropics:v1 anthropics:v1.0.33 anthropics:v1.0.32 anthropics:v1.0.31 anthropics:v1.0.30 anthropics:v1.0.29 anthropics:v1.0.28 anthropics:v1.0.27 anthropics:v1.0.26 anthropics:v1.0.25 anthropics:v1.0.24 anthropics:v1.0.23 anthropics:v1.0.22 anthropics:v1.0.21 anthropics:v1.0.20 anthropics:v1.0.19 anthropics:v1.0.18 anthropics:v1.0.17 anthropics:v1.0.16 anthropics:v1.0.15 anthropics:v1.0.14 anthropics:v1.0.13 anthropics:v1.0.12 anthropics:v1.0.11 anthropics:v1.0.10 anthropics:v1.0.9 anthropics:v1.0.8 anthropics:v1.0.7 anthropics:v1.0.6 anthropics:v1.0.5 anthropics:v1.0.4 anthropics:v1.0.3 anthropics:v1.0.2 anthropics:v1.0.1 anthropics:v1.0.0 anthropics:v0 anthropics:v0.0.63 anthropics:beta anthropics:v0.0.62 anthropics:v0.0.61 anthropics:v0.0.60 anthropics:v0.0.59 anthropics:v0.0.58 anthropics:v0.0.57 anthropics:v0.0.56 anthropics:v0.0.55 anthropics:v0.0.54 anthropics:v0.0.53 anthropics:v0.0.52 anthropics:v0.0.51 anthropics:v0.0.50 anthropics:v0.0.49 anthropics:v0.0.48 anthropics:v0.0.47 anthropics:v0.0.46 anthropics:v0.0.45 anthropics:v0.0.44 anthropics:v0.0.43 anthropics:v0.0.42 anthropics:v0.0.41 anthropics:v0.0.40 anthropics:v0.0.39 anthropics:v0.0.38 anthropics:v0.0.37 anthropics:v0.0.36 anthropics:v0.0.35 anthropics:v0.0.34 anthropics:v0.0.33 anthropics:v0.0.32 anthropics:v0.0.31 anthropics:v0.0.30 anthropics:v0.0.29 anthropics:v0.0.28 anthropics:v0.0.27 anthropics:v0.0.26 anthropics:v0.0.25 anthropics:v0.0.24 anthropics:v0.0.23 anthropics:v0.0.22 anthropics:v0.0.21 anthropics:v0.0.20 anthropics:v0.0.19 anthropics:v0.0.18 anthropics:v0.0.17 anthropics:v0.0.16 anthropics:v0.0.15 anthropics:v0.0.14 anthropics:v0.0.13 anthropics:v0.0.12 anthropics:v0.0.11 anthropics:v0.0.10 anthropics:v0.0.9 anthropics:v0.0.8 anthropics:v0.0.7 anthropics:v0.0.6 anthropics:v0.0.5 anthropics:v0.0.4 anthropics:v0.0.3 anthropics:v0.0.2 anthropics:v0.0.1

1 Commits
ashwin/bum ... claude/fix

Author SHA1 Message Date
Claude
80591ffc11 fix: prevent path traversal in delete_files MCP tool 
The delete_files tool only validated absolute paths starting with "/",
allowing relative paths with traversal sequences like "./../../sensitive"
to bypass validation.

Now all paths are normalized using path.resolve() before validation,
ensuring both absolute and relative paths with ".." sequences are
properly blocked from accessing files outside the repository root.
 2025-12-12 00:14:12 +00:00
1 changed files with 13 additions and 12 deletions
Expand all files Collapse all files

21
src/mcp/github-file-ops-server.ts
View File

@@ -4,7 +4,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod"; import { z } from "zod";
import { readFile, stat } from "fs/promises"; import { readFile, stat } from "fs/promises";
import { join } from "path"; import { join, resolve, sep } from "path";
import { constants } from "fs"; import { constants } from "fs";
import fetch from "node-fetch"; import fetch from "node-fetch";
import { GITHUB_API_URL } from "../github/api/config"; import { GITHUB_API_URL } from "../github/api/config";
@@ -474,20 +474,21 @@ server.tool(
throw new Error("GITHUB_TOKEN environment variable is required"); throw new Error("GITHUB_TOKEN environment variable is required");
} }
// Convert absolute paths to relative if they match CWD // Normalize all paths and validate they're within the repository root
const cwd = process.cwd(); const cwd = process.cwd();
const processedPaths = paths.map((filePath) => { const processedPaths = paths.map((filePath) => {
if (filePath.startsWith("/")) { // Normalize the path to resolve any .. or . sequences
if (filePath.startsWith(cwd)) { const normalizedPath = resolve(cwd, filePath);
// Strip CWD from absolute path
return filePath.slice(cwd.length + 1); // Validate the normalized path is within the current working directory
} else { if (!normalizedPath.startsWith(cwd + sep)) {
throw new Error( throw new Error(
`Path '${filePath}' must be relative to repository root or within current working directory`, `Path '${filePath}' resolves outside the repository root`,
); );
} }
}
return filePath; // Convert to relative path by stripping the cwd prefix
return normalizedPath.slice(cwd.length + 1);
}); });
// 1. Get the branch reference (create if doesn't exist) // 1. Get the branch reference (create if doesn't exist)