Fix pagination bypass and fail-open bugs in .mcp.json change detection

- Use octokit.rest.paginate() to fetch all pages of PR changed files, preventing attackers from padding PRs with 100+ files to push .mcp.json off the first page - Change catch block to fail closed (mcpJsonChanged=true) so MCP servers are not auto-approved when the API call fails
2026-02-15 12:44:24 -08:00 · 2026-02-15 12:44:24 -08:00 · f4ac33b9a4
commit f4ac33b9a4
parent 19a4f34b17
1 changed files with 11 additions and 7 deletions
--- a/src/entrypoints/run.ts
+++ b/src/entrypoints/run.ts
@ -223,12 +223,15 @@ async function run() {
    let mcpJsonChanged = false;
    if (isEntityContext(context) && context.isPR) {
      try {
-        const { data: changedFiles } = await octokit.rest.pulls.listFiles({
-          owner: context.repository.owner,
-          repo: context.repository.repo,
-          pull_number: context.entityNumber,
-          per_page: 100,
-        });
+        const changedFiles = await octokit.rest.paginate(
+          octokit.rest.pulls.listFiles,
+          {
+            owner: context.repository.owner,
+            repo: context.repository.repo,
+            pull_number: context.entityNumber,
+            per_page: 100,
+          },
+        );
        mcpJsonChanged = changedFiles.some(
          (f) =>
            f.filename === ".mcp.json" || f.filename.endsWith("/.mcp.json"),
@ -240,8 +243,9 @@ async function run() {
        }
      } catch (e) {
        console.log(
-          `Could not check PR changed files: ${e}. Defaulting to mcpJsonChanged=false.`,
+          `Could not check PR changed files: ${e}. Defaulting to mcpJsonChanged=true (fail-closed).`,
        );
+        mcpJsonChanged = true;
      }
    }