fix(fetchers): enforce policy for GitHub API subrequests by chaliy · Pull Request #131 · everruns/fetchkit

chaliy · 2026-05-18T01:03:42Z

The GitHub repo fetcher constructed api.github.com subrequests after the registry only validated the original github.com URL, allowing an egress policy bypass.
The fetcher also always used GET for its API calls, ignoring callers that requested HEAD, which could violate caller expectations and policies.

Added GitHubRepoFetcher::validate_policy_url to enforce allow_prefixes / block_prefixes for secondary outbound URLs. This helper is invoked before the /repos/{owner}/{repo} and /readme API calls.
Honor the caller's method by using request.effective_method() to issue GET or HEAD for the repo metadata request, and return early for HEAD (skip README fetch and JSON parsing).
Added HttpMethod to imports and light unit tests for the new policy validation helper (test_validate_policy_url).
Kept behavior scoped to the GitHub fetcher so other fetchers remain unchanged.

Ran the targeted fetcher unit tests with cargo test -p fetchkit github_repo -- --nocapture, and all tests passed (10 passed, 0 failed).
Package-level test run completed successfully during the change verification with no regressions observed in the fetcher test suite.

chaliy added codex aardvark labels May 18, 2026 — with ChatGPT Codex Connector

fix(fetchers): enforce policy for GitHub API subrequests

851eb0e

chaliy force-pushed the 2026-05-18-fix-github-fetcher-url-policy-bypass branch from 58eeeb0 to 851eb0e Compare May 18, 2026 04:00

chaliy merged commit 5a6f958 into main May 18, 2026
11 checks passed

chaliy deleted the 2026-05-18-fix-github-fetcher-url-policy-bypass branch May 18, 2026 04:41

Provide feedback