fix: restrict BEGIN_COMMIT_OVERRIDE to PR authors with write access#2781
Open
evilgensec wants to merge 1 commit into
Open
fix: restrict BEGIN_COMMIT_OVERRIDE to PR authors with write access#2781evilgensec wants to merge 1 commit into
evilgensec wants to merge 1 commit into
Conversation
The BEGIN_COMMIT_OVERRIDE section of a merged pull request's body is read live from GitHub at release-please run time (via the GraphQL `body` field). GitHub keeps the PR body editable by its author indefinitely after merge, so an external contributor whose otherwise innocuous PR has been merged can later rewrite the body to insert a forged commit message that drives the next CHANGELOG, version bump, and GitHub release notes without any maintainer review. Gate the override on the PR's `authorAssociation` and honor it only for OWNER, MEMBER, and COLLABORATOR — the roles that already have write access to the repository. PRs from CONTRIBUTOR / FIRST_TIME_CONTRIBUTOR / NONE fall back to the merge commit message.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BEGIN_COMMIT_OVERRIDEin a merged PR's body lets the body's text replace the merge commit message that drives release notes, version bumps, and CHANGELOG generation. The PR body is fetched live at release-please run time (src/github.tsGraphQL query onpullRequest.body), and GitHub keeps the PR body editable by its author indefinitely after merge. An external contributor whose otherwise innocuous PR has been merged can later rewrite their PR body to insert a forged commit message — for example,BEGIN_COMMIT_OVERRIDE\nfeat!: x\n\nBREAKING CHANGE: <phishing markdown>\nEND_COMMIT_OVERRIDE— and that text drives the next CHANGELOG entry, forces a major version bump, and ends up in the published GitHub Release notes without any maintainer review.This PR gates the override on the PR's
authorAssociation(already exposed by the GitHub GraphQLPullRequesttype) and honors it only forOWNER,MEMBER, andCOLLABORATOR— the roles that already have write access to the repository. PRs fromCONTRIBUTOR/FIRST_TIME_CONTRIBUTOR/NONEfall back to the merge commit message, matching the pre-BEGIN_COMMIT_OVERRIDEbehavior.#1161addedBEGIN_COMMIT_OVERRIDEfor the maintainer "retroactively fix a release note" workflow; the README still describes it that way. The check here keeps the original maintainer workflow intact (maintainers areOWNER/MEMBER/COLLABORATOR) while closing the path that lets non-maintainer authors abuse it.Changes
src/pull-request.ts: addPullRequestAuthorAssociationtype and optionalauthorAssociationfield onPullRequest.src/github.ts: requestauthorAssociationin themergeCommitsGraphQLquery and thread it ontocommit.pullRequest.src/commit.ts: inpreprocessCommitMessage, ignoreBEGIN_COMMIT_OVERRIDEunlessauthorAssociationisOWNER,MEMBER, orCOLLABORATOR.test/commits.ts: existing override tests now setauthorAssociationto a trusted value; two new tests cover (a)CONTRIBUTORoverride is ignored and (b) missingauthorAssociationis treated as untrusted.test/manifest.ts: existing manifest-mode override fixture setsauthorAssociation: 'MEMBER'.Test plan
npm run lint— no new warnings or errors.npm test— 1101 passing, 0 failing.MEMBER/OWNERstill honored) and the deny paths (CONTRIBUTORand missingauthorAssociationfall back to the commit message).