Disagreement · 50084e99-openai-0

Unauthenticated endpoint can trigger GitHub Actions via gh CLI

mismatch

repo 6f7fc663·PR #1·reviewed 1 week ago

Primary finding

Unauthenticated endpoint can trigger GitHub Actions via gh CLI

criticalsecurityhigh

dashboard/app/api/skills/[name]/run/route.ts:11-18
dashboard/app/api/skills/[name]/run/route.ts:36

The route allows any caller to POST and trigger a GitHub Actions workflow via the GitHub CLI. There is no authentication or authorization check before executing the privileged action. This enables abuse (e.g., burning CI minutes, exfiltrating info from workflows, or spam triggering).

Recommendation

Require authentication and authorization before triggering the workflow (e.g., verify a session/JWT, check user permissions/role, and optionally restrict allowed skills per user). Add CSRF protection if this route is callable from a browser and enforce rate limiting. Consider moving the trigger to a trusted server-side job/queue and validating inputs server-side only.

Counterpart finding

Unauthenticated POST endpoint can trigger arbitrary GitHub Actions workflow runs

highsecurityhigh

dashboard/app/api/skills/[name]/run/route.ts:7-37

The POST handler performs no authentication or authorization checks before invoking `gh workflow run aeon.yml` against the repository. Any unauthenticated client that can reach the dashboard can dispatch CI workflows with attacker-controlled skill, var, and model inputs. If the dashboard is ever exposed beyond localhost (or accessible from another origin via CSRF since there is no method/origin/CSRF check either), this becomes a remote workflow-triggering primitive that can consume CI minutes, hit external APIs the workflow calls, and potentially exfiltrate secrets via attacker-influenced workflow inputs.

Recommendation

Add authentication (e.g., session/JWT check or a shared secret header verified server-side) and CSRF protection (verify Origin/Referer or require a non-cookie credential) before invoking `gh`. Also consider rate limiting.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗