Skip to content

fix: validate OIDs and use literal file rewrites in build-images handler#197

Merged
MarshallOfSound merged 1 commit into
mainfrom
claude/autopatch-scan-1f76d7a8-vuln-1895949-3jxmwk
Jun 25, 2026
Merged

fix: validate OIDs and use literal file rewrites in build-images handler#197
MarshallOfSound merged 1 commit into
mainfrom
claude/autopatch-scan-1f76d7a8-vuln-1895949-3jxmwk

Conversation

@MarshallOfSound

Copy link
Copy Markdown
Member

Package metadata and webhook payload values (target_oid, the first container tag of a prior package version) were used as a regular expression and as replacement text when rewriting electron/electron workflow files. String.prototype.match compiles its string argument into a RegExp, so a crafted container tag containing regex metacharacters could match an arbitrary region of a workflow file, and the target_oid was written into the result verbatim — allowing whoever can publish package versions in electron/build-images to inject unreviewed, attacker-shaped edits into CI workflow content.

Validate every OID taken from a webhook payload or package metadata against a strict 40-character hex format before use, and replace the regex-based match/replace with literal substring matching and split/join so neither value is ever interpreted as a regular expression or a replacement pattern.

Package metadata and webhook payload values (target_oid, the first
container tag of a prior package version) were used as a regular
expression and as replacement text when rewriting electron/electron
workflow files. String.prototype.match compiles its string argument
into a RegExp, so a crafted container tag containing regex
metacharacters could match an arbitrary region of a workflow file, and
the target_oid was written into the result verbatim — allowing whoever
can publish package versions in electron/build-images to inject
unreviewed, attacker-shaped edits into CI workflow content.

Validate every OID taken from a webhook payload or package metadata
against a strict 40-character hex format before use, and replace the
regex-based match/replace with literal substring matching and
split/join so neither value is ever interpreted as a regular
expression or a replacement pattern.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PFTXnbYTesq9vibGJyDFgH
@MarshallOfSound MarshallOfSound requested review from a team as code owners June 25, 2026 00:46
@MarshallOfSound MarshallOfSound merged commit 5e2589d into main Jun 25, 2026
5 checks passed
@MarshallOfSound MarshallOfSound deleted the claude/autopatch-scan-1f76d7a8-vuln-1895949-3jxmwk branch June 25, 2026 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants