AntFleet

Disagreement · 6084d1ea-openai-0

Secrets API endpoints lack authentication/authorization; unauthenticated clients can list/set/delete repository secrets via GH CLI

mismatch
repo 6f7fc663·PR #3·reviewed 1 week ago

Primary finding

Secrets API endpoints lack authentication/authorization; unauthenticated clients can list/set/delete repository secrets via GH CLI

criticalsecurityhigh
  • dashboard/app/api/secrets/route.ts:53-77
  • dashboard/app/api/secrets/route.ts:79-105
  • dashboard/app/api/secrets/route.ts:107-125
  • dashboard/app/api/secrets/route.ts:90-93
  • dashboard/app/api/secrets/route.ts:69-74
There is no user authentication or authorization in any handler; the only check is whether the server’s GitHub CLI is authenticated. Any client able to hit these endpoints can enumerate and mutate repository secrets via the server’s GH credentials. The POST path also allows setting arbitrary secret names (not limited to known built-ins), compounding impact.

Recommendation

- Enforce authentication and role-based authorization on all handlers (e.g., require an authenticated session and admin role). - Add CSRF protection if using cookie-based auth. - Restrict allowed secret names (default-deny to builtin names or a server-side allowlist), or gate custom names behind an elevated permission flag. - Consider disabling these endpoints entirely in production builds or behind server-only admin network controls.

Counterpart finding

Secret value passed on argv to `gh secret set -b` leaks plaintext via process listings

highsecurityhigh
  • dashboard/app/api/secrets/route.ts:96-99
`execFileSync` with `-b <value>` places the secret value in argv, which is visible to any local user via `/proc/<pid>/cmdline` or `ps -ef` while the gh process runs. `gh secret set` supports reading the value from stdin (`gh secret set NAME` reads stdin, or use `--body-file -`), which avoids argv exposure. Although argv injection is blocked by `execFileSync`, plaintext leakage to other local processes/audit logs is a real concern on shared hosts and is the canonical reason gh documents stdin usage.

Recommendation

Use `execFileSync('gh', ['secret', 'set', name, '--body-file', '-'], { input: value, stdio: ['pipe','pipe','pipe'] })` so the value is piped via stdin instead of argv.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗