Skip to content

🛡️ Sentinel: [HIGH] Fix Argument Injection in PR merge scheduler #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
seonghobae wants to merge 1 commit into
base: develop
Choose a base branch
from
+13 −2
Open

🛡️ Sentinel: [HIGH] Fix Argument Injection in PR merge scheduler #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,7 @@
**Vulnerability:** The VibeSec scanner lacked explicit mapping to standard vulnerability frameworks (like OWASP Top 10) and relied on manual invocation, meaning vulnerabilities could easily bypass detection and be committed by developers or AI agents (like Claude Code or Codex).
**Learning:** To enforce security guardrails effectively, static analysis tools should intercept the workflow at commit time. Mapping findings to OWASP categories improves the clarity and actionability of the scanner output.
**Prevention:** Updated `SCAN_RULES` messages to include relevant OWASP classifications (e.g., A01, A03). Added a `vibesec hook` command that automatically installs a `pre-commit` script to block commits if critical or high vulnerabilities are detected.
## 2024-06-17 - Prevent Argument Injection in CI Script
**Vulnerability:** Argument Injection when passing `pr["number"]` directly to `gh` CLI.
**Learning:** External IDs should be explicitly cast to expected types (e.g., `int`) and validated before passing them to CLI commands via `subprocess`.
**Prevention:** Explicitly validate numeric inputs by casting to an integer and checking boundaries (e.g., `> 0`) before converting to a string for subprocess calls.
11 changes: 9 additions & 2 deletions scripts/ci/pr_review_merge_scheduler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,8 +180,15 @@ def has_current_head_changes_requested(pr: dict[str, Any]) -> bool:
return current_head_review_state(pr, "CHANGES_REQUESTED")


def _validate_pr_number(number: Any) -> str:
number_int = int(number)
if number_int <= 0:
raise ValueError("PR number must be positive")
return str(number_int)
Comment on lines +183 to +187


def enable_auto_merge(repo: str, pr: dict[str, Any], *, dry_run: bool) -> None:
number = str(pr["number"])
number = _validate_pr_number(pr["number"])
head = pr["headRefOid"]
if dry_run:
return
Expand All @@ -202,7 +209,7 @@ def dispatch_opencode_review(repo: str, workflow: str, pr: dict[str, Any], *, dr
"--ref",
pr["baseRefName"],
"-f",
f"pr_number={pr['number']}",
f"pr_number={_validate_pr_number(pr['number'])}",
"-f",
f"pr_base_ref={pr['baseRefName']}",
"-f",
Expand Down
Loading