Skip to content

fix(ng-dev/pr): guard against null author in PR validations and checkout#3764

Merged
alan-agius4 merged 1 commit into
angular:mainfrom
josephperrott:fix/sec-pr-null-author-dos-7e915aba
Jun 8, 2026
Merged

fix(ng-dev/pr): guard against null author in PR validations and checkout#3764
alan-agius4 merged 1 commit into
angular:mainfrom
josephperrott:fix/sec-pr-null-author-dos-7e915aba

Conversation

@josephperrott
Copy link
Copy Markdown
Member

@josephperrott josephperrott commented Jun 6, 2026

This PR resolves a Denial of Service vulnerability in PR validations and takeover checkout by adding guards for null author (deleted GitHub accounts). Vulnerability: 7e915aba

@josephperrott josephperrott added the action: merge The PR is ready for merge by the caretaker label Jun 6, 2026
@josephperrott josephperrott requested a review from alan-agius4 June 6, 2026 02:42
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces null-safety checks for pull request authors across various validation scripts to prevent crashes, and adds a sanitization utility to redact sensitive URL credentials from child process logs, output, and errors. The reviewer feedback suggests improving the robustness of the child process error handler by sanitizing error messages before rejection, and recommends using more idiomatic TypeScript truthy checks instead of strict null checks for authors.

Comment thread ng-dev/utils/child-process.ts Outdated
Comment thread ng-dev/pr/common/validation/assert-enforce-tested.ts Outdated
Comment thread ng-dev/pr/checkout/takeover.ts Outdated
Comment thread ng-dev/pr/common/validation/assert-allowed-target-label.ts Outdated
@josephperrott josephperrott force-pushed the fix/sec-pr-null-author-dos-7e915aba branch from 3505754 to de6095f Compare June 6, 2026 14:08
@josephperrott josephperrott force-pushed the fix/sec-pr-null-author-dos-7e915aba branch from ff20f9f to 0a602b7 Compare June 8, 2026 14:15
@josephperrott josephperrott force-pushed the fix/sec-pr-null-author-dos-7e915aba branch from 0a602b7 to 6b7895c Compare June 8, 2026 14:25
@alan-agius4 alan-agius4 merged commit 184e302 into angular:main Jun 8, 2026
16 checks passed
@alan-agius4
Copy link
Copy Markdown
Contributor

alan-agius4 commented Jun 8, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josephperrott @alan-agius4