-
Notifications
You must be signed in to change notification settings - Fork 242
SEC-005: Add cross-repository allowlist validation to flagged handlers #17771
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -187,11 +187,27 @@ function resolveAndValidateRepo(item, defaultTargetRepo, allowedRepos, operation | |
| }; | ||
| } | ||
|
|
||
| /** | ||
| * Validate a target repository for cross-repository operations. | ||
| * Shared utility for handlers that accept user-supplied target repositories; | ||
| * must be called before any API interaction with the cross-repo target. | ||
| * This named function makes cross-repo validation intent explicit and | ||
| * allows conformance checks to verify SEC-005 compliance by file. | ||
| * @param {string} repo - Repository slug to validate (can be "owner/repo" or just "repo") | ||
| * @param {string} defaultRepo - Default (always-allowed) target repository | ||
| * @param {Set<string>} allowedRepos - Set of explicitly allowed repo patterns | ||
| * @returns {{valid: boolean, error: string|null, qualifiedRepo: string}} | ||
| */ | ||
| function validateTargetRepo(repo, defaultRepo, allowedRepos) { | ||
| return validateRepo(repo, defaultRepo, allowedRepos); | ||
| } | ||
|
|
||
| module.exports = { | ||
| parseAllowedRepos, | ||
| getDefaultTargetRepo, | ||
| isRepoAllowed, | ||
| validateRepo, | ||
| validateTargetRepo, | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The |
||
| parseRepoSlug, | ||
| resolveTargetRepoConfig, | ||
| resolveAndValidateRepo, | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Smoke test push file - Run 22284305292 |
Uh oh!
There was an error while loading. Please reload this page.