Skip to content

v0.24.2

Choose a tag to compare

View all tags
@airut-app airut-app released this 07 May 07:07
· 30 commits to main since this release
Immutable release. Only release title and notes can be modified.
v0.24.2
63d7a03
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

GraphQL repository scoping — Query.repository(owner, name) form — Third installment in the v0.24 GraphQL scope-checker hardening series. The proxy's repo-scope checker previously only validated repositoryId/*Id/repositoryNameWithOwner fields and missed GitHub's Query.repository(owner, name) form (and its organization(login).repository(name), repositoryOwner.repository(name), user(login).repository(name) accessors). With queries: ["*"], an in-scope GitHub App surrogate token could read any repository visible to the installation. The checker now walks the AST for repository field selections, resolves the owner from the field's owner arg or its parent's login arg, and validates owner/name against the installation's repo full names case-insensitively. Fail-secure when the owner is unresolvable. (#576)

Other Changes

Upgrade

airut update

If airut check reports a pending config schema migration after updating, run airut migrate.

Assets 3
Loading