Skip to content

fix(visual-review): Block client-supplied github_check_run_id#60549

Merged
gantoine merged 2 commits into
masterfrom
fix/visual-review-check-run
May 29, 2026
Merged

fix(visual-review): Block client-supplied github_check_run_id#60549
gantoine merged 2 commits into
masterfrom
fix/visual-review-check-run

Conversation

@gantoine
Copy link
Copy Markdown
Member

@gantoine gantoine commented May 28, 2026

Changes

Two layered fixes:

products/visual_review/backend/facade/api.py — Added github_check_run_id to _RESERVED_RUN_METADATA_KEYS. The facade's _sanitize_run_metadata now strips this key from all client-supplied metadata before it reaches the DB, so the only way github_check_run_id can enter run.metadata is via server-side code (the CI workflow integration).

products/visual_review/backend/logic.py — Added commit SHA ownership check in _rerun_github_job. Before issuing the POST actions/jobs/{id}/rerun request, the function now calls GET check-runs/{id} on the GitHub API and verifies that head_sha matches run.commit_sha. A mismatch returns an error and emits a structured warning log

How did you test this code?

Agent-authored. Automated tests only — no manual testing.

  • Updated TestRunAPI::test_create_run_strips_reserved_metadata_keys to assert github_check_run_id is stripped alongside the other reserved keys.
  • Added TestRerunGithubJob (4 cases): invalid ID format rejected, SHA mismatch rejected, GitHub fetch failure (404) rejected, successful rerun when SHA matches.
  • All 5 tests pass (hogli test), existing TestRecomputeRun tests unaffected (they mock _rerun_github_job directly).

Copilot AI review requested due to automatic review settings May 28, 2026 21:01
@assign-reviewers-posthog assign-reviewers-posthog Bot requested a review from a team May 28, 2026 21:01
@gantoine @claude
fix(visual-review): block client-supplied github_check_run_id and val…
e99efa9 
…idate SHA before CI rerun

Prevents a confused-deputy authorization bypass where a user with
visual_review:write could inject an arbitrary GitHub Actions job ID
via run metadata and force the app's GitHub App installation token
(which holds actions:write) to rerun any job in the repository.

Two layers of defense:
- Add github_check_run_id to _RESERVED_RUN_METADATA_KEYS so the facade
  strips it from any client-supplied metadata at run creation time.
- In _rerun_github_job, fetch the check run from GitHub and verify its
  head_sha matches run.commit_sha before issuing the POST rerun request.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@gantoine gantoine force-pushed the fix/visual-review-check-run branch from 48ac6f9 to e99efa9 Compare May 28, 2026 21:02
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment
edited by feliperalmeida
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 28, 2026

Prompt To Fix All With AI 
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
products/visual_review/backend/logic.py:1151-1155
The `.json()` call on the successful response is outside the try/except block. If GitHub unexpectedly returns non-JSON content for a 200 (e.g., a proxy injects an HTML error page), a `json.JSONDecodeError` propagates up through `recompute_run` as an unhandled exception instead of returning the `(False, error_string)` tuple the function contract promises.

```suggestion
    if check_run_response.status_code != 200:
        return False, f"Could not fetch check run details (status {check_run_response.status_code})"

    try:
        check_run_data = check_run_response.json()
    except Exception:
        return False, "Failed to parse check run response"
    if check_run_data.get("head_sha") != run.commit_sha:
```

Reviews (1): Last reviewed commit: "fix(visual-review): block client-supplie..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 28, 2026
View reviewed changes
Comment thread products/visual_review/backend/logic.py Outdated
@gantoine gantoine merged commit cd44d84 into master May 29, 2026
210 of 214 checks passed
@gantoine gantoine deleted the fix/visual-review-check-run branch May 29, 2026 01:09
@deployment-status-posthog
Copy link
Copy Markdown

deployment-status-posthog Bot commented May 29, 2026
edited
Loading

Deploy status

Environment Status Deployed At Workflow
dev ✅ Deployed 2026-05-29 01:31 UTC Run
prod-us ✅ Deployed 2026-05-29 01:43 UTC Run
prod-eu ✅ Deployed 2026-05-29 01:45 UTC Run

rorylshanks pushed a commit that referenced this pull request May 29, 2026
@gantoine @claude @rorylshanks
fix(visual-review): Block client-supplied github_check_run_id (#60549)
88d657d 
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Copilot code review Copilot Copilot left review comments

@Piccirello Piccirello Piccirello approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gantoine @Piccirello