claude-code-action

actions/claude-code-action

Fork 0

Commit Graph

Author	SHA1	Message	Date
kashyap murali	9ddce40de8	Restore .claude/ and .mcp.json from PR base branch before CLI runs (#1066 ) * Restore .claude/ and .mcp.json from PR base branch before CLI runs The CLI's non-interactive mode trusts cwd: it reads .mcp.json and .claude/settings{,.local}.json from the working directory and acts on them before any tool-permission gating — executing hooks, setting env vars (NODE_OPTIONS, LD_PRELOAD), running apiKeyHelper shell commands, and auto-approving MCP servers. When this action checks out a PR head, these files are attacker-controlled. Rather than enumerate dangerous keys, replace the entire .claude/ tree and .mcp.json with the versions from the PR base branch (which a maintainer has reviewed). Paths absent on base are deleted. Uses local git state, so no TOCTOU against the GitHub API. * Read PR base ref from payload for config restore in agent mode Agent mode's branchInfo.baseBranch defaults to "main" (or env/input override) instead of the PR's actual target branch — it doesn't query prData.baseRefName like tag mode does. This meant a PR targeting develop would get .claude/ restored from main. Fix by reading pull_request.base.ref directly from the webhook payload for pull_request, pull_request_review, and pull_request_review_comment events. For issue_comment on a PR (no base.ref in payload), fall back to the mode-provided value — tag mode's value is correct (from GraphQL); agent mode on issue_comment is an edge case that at worst restores from the wrong trusted branch, which is still secure. The payload value passes through validateBranchName for defense-in-depth (GitHub enforces valid branch names server-side, but we validate anyway). * Extend restored paths to .gitmodules, .ripgreprc, .claude.json .gitmodules defines submodule URLs and paths; path-confusion attacks against git submodule operations can write into .git/hooks. .ripgreprc can set --pre (arbitrary command on each file) if RIPGREP_CONFIG_PATH points at it. .claude.json is cheap defense-in-depth. Documented why .git/ is excluded (not trackable in commits, and restoring it would undo the PR checkout), along with .gitconfig (git never reads it from cwd) and shell rc files (sourced from $HOME, not cwd — checkout cannot reach $HOME).	2026-03-18 12:00:18 -04:00

Author

SHA1

Message

Date

kashyap murali

9ddce40de8

Restore .claude/ and .mcp.json from PR base branch before CLI runs (#1066 )

* Restore .claude/ and .mcp.json from PR base branch before CLI runs

The CLI's non-interactive mode trusts cwd: it reads .mcp.json and
.claude/settings{,.local}.json from the working directory and acts on
them before any tool-permission gating — executing hooks, setting env
vars (NODE_OPTIONS, LD_PRELOAD), running apiKeyHelper shell commands,
and auto-approving MCP servers. When this action checks out a PR head,
these files are attacker-controlled.

Rather than enumerate dangerous keys, replace the entire .claude/ tree
and .mcp.json with the versions from the PR base branch (which a
maintainer has reviewed). Paths absent on base are deleted. Uses local
git state, so no TOCTOU against the GitHub API.

* Read PR base ref from payload for config restore in agent mode

Agent mode's branchInfo.baseBranch defaults to "main" (or env/input
override) instead of the PR's actual target branch — it doesn't query
prData.baseRefName like tag mode does. This meant a PR targeting
develop would get .claude/ restored from main.

Fix by reading pull_request.base.ref directly from the webhook payload
for pull_request, pull_request_review, and pull_request_review_comment
events. For issue_comment on a PR (no base.ref in payload), fall back
to the mode-provided value — tag mode's value is correct (from GraphQL);
agent mode on issue_comment is an edge case that at worst restores from
the wrong trusted branch, which is still secure.

The payload value passes through validateBranchName for defense-in-depth
(GitHub enforces valid branch names server-side, but we validate anyway).

* Extend restored paths to .gitmodules, .ripgreprc, .claude.json

.gitmodules defines submodule URLs and paths; path-confusion attacks
against git submodule operations can write into .git/hooks. .ripgreprc
can set --pre (arbitrary command on each file) if RIPGREP_CONFIG_PATH
points at it. .claude.json is cheap defense-in-depth.

Documented why .git/ is excluded (not trackable in commits, and
restoring it would undo the PR checkout), along with .gitconfig
(git never reads it from cwd) and shell rc files (sourced from $HOME,
not cwd — checkout cannot reach $HOME).

2026-03-18 12:00:18 -04:00

1 Commits