AntFleet

Disagreement · fc046725-openai-0

API routes lack authentication/authorization, potentially exposing private GitHub Actions data and logs

solo GPT-5
repo 6f7fc663·PR #26·reviewed 1 week ago

GPT-5 finding

API routes lack authentication/authorization, potentially exposing private GitHub Actions data and logs

highsecurityhigh
  • dashboard/app/api/analytics/route.ts:52-60
  • dashboard/app/api/analytics/route.ts:195-208
  • dashboard/app/api/runs/[id]/logs/route.ts:24-35
  • dashboard/app/api/runs/route.ts:24-43
All three handlers expose data without any authentication check. They execute gh CLI using the server’s configured credentials (default repo, tokens), so a public request could retrieve metadata and logs from private repos, including potentially sensitive log content. No access control or origin checks are present.

Recommendation

Require authentication/authorization for these routes (e.g., NextAuth session checks, signed internal token, or IP allowlist). Return 401/403 for unauthenticated requests. If this dashboard is internal-only, gate it behind VPN or reverse proxy auth. Additionally, sanitize logs before returning or restrict logs to authenticated admins.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗