Skip to content

fix(github): require repo stats allowlist#4978

Open
JSONbored wants to merge 3 commits into
mainfrom
codex/fix-github-public-repo-stats-vulnerability
Open

fix(github): require repo stats allowlist#4978
JSONbored wants to merge 3 commits into
mainfrom
codex/fix-github-public-repo-stats-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent the unauthenticated public GitHub repo-stats route from proxying arbitrary owner/repo pairs using the deployment GITHUB_PUBLIC_TOKEN, which could expose metadata or exhaust shared token quota.
  • Make the safer default behavior explicit: only repos listed in PUBLIC_REPO_STATS_ALLOWLIST may be requested by the public endpoint.

Description

  • Require allowlist membership unconditionally in publicRepoFullName(...) so an empty/unset PUBLIC_REPO_STATS_ALLOWLIST no longer permits all repos (change in src/github/public.ts).
  • Update environment documentation to state that unset PUBLIC_REPO_STATS_ALLOWLIST denies all unauthenticated repo-stats requests (change in src/env.d.ts).
  • Add a narrow hosted-worker default allowlist entry for JSONbored/gittensory and regenerate Cloudflare/OpenAPI artifacts to keep deployment defaults consistent (changes in wrangler.jsonc, worker-configuration.d.ts, src/openapi/spec.ts, and apps/gittensory-ui/public/openapi.json).
  • Update integration tests to cover the new behavior and normalization: deny when the allowlist is unset, accept normalized entries, and ensure no GitHub fetch occurs for denied requests (change in test/integration/api.test.ts).

Testing

  • Ran the engine build with npm --workspace @jsonbored/gittensory-engine run build and it completed successfully.
  • Ran the targeted integration suite with npx vitest run test/integration/api.test.ts -t "public GitHub repo stats" --reporter=verbose and the updated tests for the public GitHub repo stats passed (5 passed, other unrelated tests skipped as expected).
  • Ran npm run ui:openapi:check, npm run cf-typegen:check, and npm run typecheck to verify regenerated artifacts and types, and all checks succeeded.

Codex Task

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 11, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui ad39b5d Commit Preview URL

Branch Preview URL
Jul 11 2026, 01:10 PM

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

…ult-deny allowlist

Two tests in test/integration/api.test.ts called the public repo-stats route
without configuring PUBLIC_REPO_STATS_ALLOWLIST, relying on the old "unset
allowlist = allow any repo" behavior this PR intentionally removes (unset now
denies all, closing the unauthenticated-proxy gap). Added an explicit allowlist
entry to each so they keep testing their own actual concern (GITHUB_PUBLIC_TOKEN
absence; transient-error stale-cache fallback) independently of the new
allowlist requirement, rather than being confounded by it.

Also resolves the rebase onto current main (a real content conflict in the
allowlist test naming, and a mechanical worker-configuration.d.ts regeneration).
@JSONbored JSONbored force-pushed the codex/fix-github-public-repo-stats-vulnerability branch from b691d04 to ad39b5d Compare July 11, 2026 13:09
@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.18%. Comparing base (a21a8ad) to head (0007408).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4978   +/-   ##
=======================================
  Coverage   94.18%   94.18%           
=======================================
  Files         468      468           
  Lines       39608    39608           
  Branches    14448    14448           
=======================================
  Hits        37306    37306           
  Misses       1646     1646           
  Partials      656      656           
Flag Coverage Δ
shard-1 46.47% <0.00%> (-0.01%) ⬇️
shard-2 33.58% <0.00%> (-0.27%) ⬇️
shard-3 31.39% <0.00%> (-0.82%) ⬇️
shard-4 32.69% <0.00%> (+0.73%) ⬆️
shard-5 33.21% <0.00%> (-0.10%) ⬇️
shard-6 45.18% <100.00%> (+0.21%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/github/public.ts 98.59% <100.00%> (ø)
src/openapi/spec.ts 99.42% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 11, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 11, 2026

Copy link
Copy Markdown

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 Gittensory review result - fixes required

Review updated: 2026-07-12 01:09:56 UTC

7 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI failing · blocked

🛑 Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
This PR tightens `publicRepoFullName` in src/github/public.ts so an unset/empty `PUBLIC_REPO_STATS_ALLOWLIST` now denies all requests instead of allowing any owner/repo, closing a real exposure where the unauthenticated public repo-stats route could proxy arbitrary GitHub API calls using the deployment's server-side `GITHUB_PUBLIC_TOKEN`. The fix is at the correct layer (the allowlist check itself), regenerated artifacts (wrangler.jsonc, worker-configuration.d.ts, openapi.json, spec.ts) stay consistent with the new hosted-worker allowlist entry, and the updated integration tests exercise the real denied/allowed paths (asserting `fetch` is never called on denial) rather than fabricating unreachable states.

Nits — 5 non-blocking

Why this is blocked

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

CI checks failing

  • validate
  • validate-code
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 45 registered-repo PR(s), 37 merged, 415 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 45 PR(s), 415 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, Ruby, Go, JavaScript, MDX, Shell, Solidity
  • Official Gittensor activity: 45 PR(s), 415 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

Visual preview
Route Viewport Before (production) After (this PR's preview) Diff
/ desktop before / after /
/ mobile before / (mobile) after / (mobile)

Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 11, 2026
…tion.d.ts

The prior regeneration (via npm run cf-typegen, resolving the rebase conflict)
pulled in ~176 lines of unrelated drift from this local machine's wrangler/
workerd cache being out of sync with whatever last regenerated main's copy.
Reset to origin/main's exact file, then hand-inserted just the one new binding
this PR's wrangler.jsonc change actually needs (PUBLIC_REPO_STATS_ALLOWLIST,
in both the literal-value interface and the sorted ProcessEnv union), mirroring
the exact declaration position/format of the adjacent existing entries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant