AntFleet

Disagreement · 50084e99-anthropic-0

Unauthenticated POST endpoint can trigger arbitrary GitHub Actions workflow runs

mismatch
repo 6f7fc663·PR #1·reviewed 1 week ago

Primary finding

Unauthenticated POST endpoint can trigger arbitrary GitHub Actions workflow runs

highsecurityhigh
  • dashboard/app/api/skills/[name]/run/route.ts:7-37
The POST handler performs no authentication or authorization checks before invoking `gh workflow run aeon.yml` against the repository. Any unauthenticated client that can reach the dashboard can dispatch CI workflows with attacker-controlled skill, var, and model inputs. If the dashboard is ever exposed beyond localhost (or accessible from another origin via CSRF since there is no method/origin/CSRF check either), this becomes a remote workflow-triggering primitive that can consume CI minutes, hit external APIs the workflow calls, and potentially exfiltrate secrets via attacker-influenced workflow inputs.

Recommendation

Add authentication (e.g., session/JWT check or a shared secret header verified server-side) and CSRF protection (verify Origin/Referer or require a non-cookie credential) before invoking `gh`. Also consider rate limiting.

Counterpart finding

Synchronous execFileSync blocks the event loop and lacks timeout/failure controls

highperformancehigh
  • dashboard/app/api/skills/[name]/run/route.ts:36
execFileSync runs synchronously in the request handler, blocking the event loop. Under load or if gh is slow/hangs (e.g., waiting for auth, network slowness), this can stall the server and degrade availability. No timeout is configured, increasing the risk of long-running or stuck requests.

Recommendation

Use execFile (async) with a reasonable timeout and explicit error handling. Consider offloading to a background job/queue, or a worker thread/process pool. Ensure gh does not prompt (set non-interactive mode and require GH_TOKEN) and capture/limit stdout/stderr to avoid large buffers.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗