From f4ac33b9a4a7aa4e31e02a9786330244751860ef Mon Sep 17 00:00:00 2001
From: Ashwin Bhat <ashwin@anthropic.com>
Date: Sun, 15 Feb 2026 12:44:24 -0800
Subject: [PATCH] Fix pagination bypass and fail-open bugs in .mcp.json change
 detection

- Use octokit.rest.paginate() to fetch all pages of PR changed files,
  preventing attackers from padding PRs with 100+ files to push .mcp.json
  off the first page
- Change catch block to fail closed (mcpJsonChanged=true) so MCP servers
  are not auto-approved when the API call fails
---
 src/entrypoints/run.ts | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/entrypoints/run.ts b/src/entrypoints/run.ts
index c9a62e3..9291c28 100644
--- a/src/entrypoints/run.ts
+++ b/src/entrypoints/run.ts
@@ -223,12 +223,15 @@ async function run() {
     let mcpJsonChanged = false;
     if (isEntityContext(context) && context.isPR) {
       try {
-        const { data: changedFiles } = await octokit.rest.pulls.listFiles({
-          owner: context.repository.owner,
-          repo: context.repository.repo,
-          pull_number: context.entityNumber,
-          per_page: 100,
-        });
+        const changedFiles = await octokit.rest.paginate(
+          octokit.rest.pulls.listFiles,
+          {
+            owner: context.repository.owner,
+            repo: context.repository.repo,
+            pull_number: context.entityNumber,
+            per_page: 100,
+          },
+        );
         mcpJsonChanged = changedFiles.some(
           (f) =>
             f.filename === ".mcp.json" || f.filename.endsWith("/.mcp.json"),
@@ -240,8 +243,9 @@ async function run() {
         }
       } catch (e) {
         console.log(
-          `Could not check PR changed files: ${e}. Defaulting to mcpJsonChanged=false.`,
+          `Could not check PR changed files: ${e}. Defaulting to mcpJsonChanged=true (fail-closed).`,
         );
+        mcpJsonChanged = true;
       }
     }