AntFleet

Disagreement · 70b30f32-anthropic-3

ClosureReceiptInput allows owner/repo to be injected into commit URL without sanitization

solo Opus
repo e24ef98c·PR #8·reviewed 1 week ago

Opus finding

ClosureReceiptInput allows owner/repo to be injected into commit URL without sanitization

lowsecuritymedium
  • apps/web/lib/pr-comment.ts:89-95
owner/repo/closureSha are concatenated into a URL inside a Markdown link. If owner or repo somehow contains a ')' character or a Markdown control sequence (this would be unusual since GitHub names don't allow this, but the function is exported and accepts arbitrary strings), the produced markdown could break the link or be used to inject markdown into a PR comment that AntFleet then posts. Given GitHub repo/owner naming restrictions this is low-likelihood, but the type signature does not enforce them. Same applies to closureSha (which we slice but use the full string in URL) — a non-hex sha could produce an invalid GitHub URL.

Recommendation

Validate owner/repo against GitHub's allowed character set ([A-Za-z0-9._-]+) and closureSha against /^[0-9a-f]{7,40}$/ before formatting; throw on invalid input.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗