AntFleet

Anatomy · 50084e99-0

Unauthenticated endpoint can trigger GitHub Actions via gh CLI

criticalsecurityclosed in 4b9b492
repo 6f7fc663·PR #1·reviewed 1 week ago·closed 1 week ago

The vulnerable code

dashboard/app/api/skills/[name]/run/route.ts:11-18

11  try {
12    const { name } = await params
13
14    // Validate skill name to prevent injection
15    if (!/^[a-z][a-z0-9-]*$/.test(name)) {
16      return NextResponse.json({ error: 'Invalid skill name' }, { status: 400 })
17    }
18

The reasoning

Opus

Unauthenticated POST endpoint can trigger arbitrary GitHub Actions workflow runs

highsecurityhigh
  • dashboard/app/api/skills/[name]/run/route.ts:7-37
The POST handler performs no authentication or authorization checks before invoking `gh workflow run aeon.yml` against the repository. Any unauthenticated client that can reach the dashboard can dispatch CI workflows with attacker-controlled skill, var, and model inputs. If the dashboard is ever exposed beyond localhost (or accessible from another origin via CSRF since there is no method/origin/CSRF check either), this becomes a remote workflow-triggering primitive that can consume CI minutes, hit external APIs the workflow calls, and potentially exfiltrate secrets via attacker-influenced workflow inputs.

Recommendation

Add authentication (e.g., session/JWT check or a shared secret header verified server-side) and CSRF protection (verify Origin/Referer or require a non-cookie credential) before invoking `gh`. Also consider rate limiting.

GPT-5

Unauthenticated endpoint can trigger GitHub Actions via gh CLI

criticalsecurityhigh
  • dashboard/app/api/skills/[name]/run/route.ts:11-18
  • dashboard/app/api/skills/[name]/run/route.ts:36
The route allows any caller to POST and trigger a GitHub Actions workflow via the GitHub CLI. There is no authentication or authorization check before executing the privileged action. This enables abuse (e.g., burning CI minutes, exfiltrating info from workflows, or spam triggering).

Recommendation

Require authentication and authorization before triggering the workflow (e.g., verify a session/JWT, check user permissions/role, and optionally restrict allowed skills per user). Add CSRF protection if this route is callable from a browser and enforce rate limiting. Consider moving the trigger to a trusted server-side job/queue and validating inputs server-side only.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in 4b9b492.

The fix

11  try {
12    const { name } = await params
13
14    // Validate skill name to prevent injection
15    if (!/^[a-z][a-z0-9-]*$/.test(name)) {
16      return NextResponse.json({ error: 'Invalid skill name' }, { status: 400 })
17    }
18

Closure

Closed 1 week ago

SHA: 4b9b49251c8c9808bf147d55aa2930352af2e8c0

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8151 / 280

Two frontier models reviewed PR #1 on 6f7fc663. Both found this bug: critical security: Unauthenticated endpoint can trigger GitHub Actions via gh CLI

tweet 2 of 8136 / 280

The vulnerable code (dashboard/app/api/skills/[name]/run/route.ts:11-18): (full snippet at https://www.antfleet.dev/anatomy/50084e99-0)

tweet 3 of 8280 / 280

What Opus saw: "The POST handler performs no authentication or authorization checks before invoking `gh workflow run aeon.yml` against the repository. Any unauthenticated client that can reach the dashboard can dispatch CI workflows with attacker-controlled skill, var, and mode…

tweet 4 of 8280 / 280

What GPT-5 saw: "The route allows any caller to POST and trigger a GitHub Actions workflow via the GitHub CLI. There is no authentication or authorization check before executing the privileged action. This enables abuse (e.g., burning CI minutes, exfiltrating info from workflow…

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit 4b9b492: (view diff at https://www.antfleet.dev/anatomy/50084e99-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/50084e99-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →