[bugfix] code_review.yml: replace PR's .claude/ instead of nesting (GHSA-f9x3-9rgg-92p7)#515
Merged
tiankongdeguiji merged 2 commits intoMay 20, 2026
Conversation
…HSA-f9x3-9rgg-92p7)
The Code Review workflow tried to neutralize a PR-supplied `.claude/`
directory by overlaying the base-branch version on top:
cp -r trusted-claude/.claude pr-code/.claude
But `cp -r SRC DST` nests into DST when DST already exists, producing
`pr-code/.claude/.claude/` and leaving the PR's
`pr-code/.claude/settings.json` in place. Claude Code reads the
working-directory `settings.json`, so a `SessionStart` hook in the PR
would still fire on the self-hosted runner — defeating the override.
The workflow trigger (`pull_request_target` with `types: [labeled]`
gated on the `claude-review` label) still requires a maintainer to label
the PR before `claude -p` runs, so this is not exploitable by a drive-by
forker. The risk is a maintainer labeling a PR whose `.claude/` slipped
past review.
Fix: `rm -rf pr-code/.claude` before the copy so the trusted version
fully replaces the PR's directory.
The active code_review.yml has fully replaced the anthropics/claude-code-action v1-based variant. No reason to keep the workflow_dispatch stub around — `git log` is the archive.
eric-gecheng
approved these changes
May 20, 2026
chengaofei
approved these changes
May 20, 2026
|
Just flagging that i was the one who privately submitted the disclosure that led to this PR. :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/code_review.yml: the override that was supposed to neutralize a PR-supplied.claude/directory was a no-op —cp -r SRC DSTnests into DST when DST already exists, so the PR'spr-code/.claude/settings.jsonwas never replaced and aSessionStarthook in the PR could still fire on the self-hosted runner. Addedrm -rf pr-code/.claudebefore the copy..github/workflows/deprecated/code_review.yml: dropped — fully superseded by the active workflow.The trigger (
pull_request_target+types: [labeled]gated on theclaude-reviewlabel) still requires a maintainer to label the PR, so this is not exploitable by a drive-by forker; risk is a maintainer labeling a PR whose.claude/slipped past review.Reference: GHSA-f9x3-9rgg-92p7.
Verification
Reproduced the nesting bug and the fix in
/tmp:Test plan
claude-reviewlabel to a PR and confirm the review job still runs (no functional change beyond replacing the.claude/contents).