[DNM] fix(security): backport v0.48.0 fixes to v0.27.x#2763
Conversation
Validate GitHub App webhook payloads before minting tokens and avoid trusting a forged enterprise host header. Also include the upstream App token scoping and remote-resource deep-copy fixes needed for the same supported release stream. Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
Download the branch-compatible golangci-lint binary into tmp and use it from make lint-go. Pin GOTOOLCHAIN for local make targets and PAC Go steps so linting does not drift with the host Go installation. Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
Signed-off-by: Shubham Bhardwaj <shubbhar@redhat.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several security and configuration improvements, notably validating GitHub App webhook signatures and verifying that the enterprise host matches the payload before minting tokens to prevent credential exfiltration. It also updates the Go toolchain to 1.21.13, pins golangci-lint to v1.59.1, and updates the go-jose dependency to address vulnerabilities. Additionally, it resolves potential data races in remote task resolution by deep-copying tasks and pipelines. The review feedback highlights a critical issue in pkg/provider/github/app/token.go where a nil pointer dereference could occur if ip.ghClient is nil, and suggests a safe guard to prevent a potential panic.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if ip.ghClient.APIURL == nil { | ||
| return "", "", 0, fmt.Errorf("github client APIURL is nil") | ||
| } |
There was a problem hiding this comment.
A potential nil pointer dereference can occur if ip.ghClient is nil. Accessing ip.ghClient.APIURL directly will cause a panic. We should guard against ip.ghClient being nil before checking ip.ghClient.APIURL.
| if ip.ghClient.APIURL == nil { | |
| return "", "", 0, fmt.Errorf("github client APIURL is nil") | |
| } | |
| if ip.ghClient == nil || ip.ghClient.APIURL == nil { | |
| return "", "", 0, fmt.Errorf("github client or its APIURL is nil") | |
| } |
2 participants
Changes
[DNM] Backport of the security fixes released in v0.48.0 to release-v0.27.x.
This PR backports the public security hardening from v0.48.0:
?secret=values are not written to stdout.How this backport was done:
release-v0.27.xin a dedicated worktree.make lint-gouse the same known-good linter binary fromtmp/.go-jose/v3tov3.0.5.Validation run locally:
make testmake lint-gogo test ./pkg/adapterafter the incoming webhook log redaction backportgit diff --checkFull pre-push hooks were not used for the final push because this older release branch has pre-existing markdownlint failures unrelated to this backport. The Go-focused validation above passed locally.
Submitter Checklist
📝 Please ensure your commit message is clear and informative. For guidance on crafting effective commit messages, refer to the How to write a git commit message guide. We prefer the commit message to be included in the PR body itself rather than a link to an external website (ie: Jira ticket).
♽ Before submitting a PR, run make test lint to avoid unnecessary CI processing. For an even more efficient workflow, consider installing pre-commit and running pre-commit install in the root of this repository.
✨ We use linters to maintain clean and consistent code. Please ensure you've run make lint before submitting a PR. Some linters offer a --fix mode, which can be executed with the command make fix-linters (ensure markdownlint and golangci-lint tools are installed first).
📖 If you're introducing a user-facing feature or changing existing behavior, please ensure it's properly documented.
🧪 While 100% coverage isn't a requirement, we encourage unit tests for any code changes where possible.
🎁 If feasible, please check if an end-to-end test can be added. See README for more details.
🔎 If there's any flakiness in the CI tests, don't necessarily ignore it. It's better to address the issue before merging, or provide a valid reason to bypass it if fixing isn't possible (e.g., token rate limitations).