YASH
Date: 2026-06-20
Target used for live checks: salemove/github-review-helper on http://localhost:4567/
Important: rotate the token that was pasted into chat before using it again. The reproduction below does not require a GitHub token and does not call merge, squash, status creation, deletion, or comment-writing paths.
| ID | Result | Reportable? | Notes |
|---|---|---|---|
| VULN-001 | Valid | Yes | Authorization checks the PR author, not the comment author. |
| VULN-013 | Valid | Yes | Request body is fully read before auth and has no size limit. |
| VULN-006 | Valid behavior, lower impact | Maybe | SHA-256 webhook signatures are rejected; SHA-1 only. |
| VULN-010 | Weak / mostly informational | No or low | Error messages are mostly generic; impact is overstated. |
| VULN-002 | Not proven as written | No | The PoC sends head.ref, but the parser ignores it; real refs are constrained. |
| VULN-003 | Valid reliability bug | Maybe | Process-global GIT_SEQUENCE_EDITOR can race across concurrent repo operations. |
| VULN-004 | Not valid under real GitHub events | No | Injection requires synthetic repo/SHA fields that valid GitHub events do not allow. |
Run:
C:\Users\bolig\.cache\codex-runtimes\codex-primary-runtime\dependencies\python\python.exe .\poc\verified_repro.pyObserved locally:
sha1_valid_ping: status=200 body='Not an event I understand. Ignoring.'
sha256_only_ping: status=401 body='Please provide a X-Hub-Signature\n'
missing_signature: status=401 body='Please provide a X-Hub-Signature\n'
bad_signature: status=403 body='Bad X-Hub-Signature\n'
malformed_json_after_valid_hmac: status=500 body="Failed to parse the request's body\n"
preauth_large_bad_sig_32mib: status=403 body='Bad X-Hub-Signature\n'
The 32 MiB invalid-signature request receiving 403 Bad X-Hub-Signature
confirms the body was read and HMAC-processed before authentication rejected it.
Status: valid.
Root cause:
parsers.goparses onlycomment.body; it does not parsecomment.user.login.IssueComment.User.Loginis populated frommessage.Issue.User.Login, which is the PR/issue author.main.gothen callscheckUserAuthorization(issueComment, ...).checkUserAuthorizationcallsisCollaborator(issueComment.Repository, issueComment.User, ...).
Impact:
An attacker who can comment on a PR can issue !check, !squash, or !merge
on PRs authored by a collaborator, because the collaborator check is performed
against the PR author instead of the commenter.
Safe proof:
Use a GitHub issue_comment payload where:
issue.user.loginis a collaborator.comment.user.loginis a non-collaborator.comment.bodyis!check,!squash, or!merge.
Expected vulnerable behavior:
The bot checks collaborator status for issue.user.login, never
comment.user.login.
Status: valid.
Root cause:
main.gocallsioutil.ReadAll(r.Body).- Authentication is checked only after the whole body has been read.
- There is no
http.MaxBytesReader,io.LimitReader, reverse-proxy limit, or app-level content-length check in the handler.
Live proof:
An unauthenticated 32 MiB request with an invalid HMAC returned
403 Bad X-Hub-Signature, showing the body was accepted into the HMAC path
before rejection.
Impact:
An unauthenticated client can send very large request bodies and force memory allocation and HMAC work before any signature rejection happens.
Status: confirmed behavior, impact lower than the original PoC says.
Root cause:
authentication.goreads onlyX-Hub-Signature.- It parses only the
sha1=format. - It never checks
X-Hub-Signature-256.
Live proof:
- Valid SHA-1 signature:
200. - Valid SHA-256-only signature:
401 Please provide a X-Hub-Signature.
Impact:
This is a compatibility and security-hardening issue. It does not by itself let
an attacker forge webhook requests, but the app should support GitHub's
recommended X-Hub-Signature-256 header.
Status: weak / mostly informational.
Live proof:
The app exposes distinct responses for missing signature, bad signature, and malformed JSON:
Please provide a X-Hub-SignatureBad X-Hub-SignatureFailed to parse the request's body
Assessment:
These messages reveal control-flow state, but not secrets. The original PoC overstates this as a standalone vulnerability. It may be worth cleaning up, but it is probably not a strong bug-bounty report on its own.
Status: not proven as written.
Why the PoC is wrong:
- The
pull_requestparser does not readpull_request.head.ref. parsePullRequestEventkeeps onlyhead.shaandhead.repo.- The squash path later calls
AutosquashAndPush("origin/"+baseRef, headSHA, headRef), whereheadRefcomes from the GitHub PR API, not the webhook field used by the PoC. - The rebase argument uses the head SHA, not the branch name.
- The push destination is passed as
"@:"+destinationRef, which does not begin with-.
Additional constraint:
git check-ref-format --branch rejects branch shorthands such as --exec=id
and -oProxyCommand=x.
Residual note:
Adding -- before user-derived refs is still good defensive hardening, but the
submitted PoC does not demonstrate an exploitable issue.
Status: valid reliability bug, security impact depends on who can trigger concurrent squash operations.
Root cause:
git/git.gousesos.Setenv("GIT_SEQUENCE_EDITOR", "true").- That environment variable is process-global.
- The lock is per
repo, so operations on different repos can run concurrently.
Impact:
Two concurrent autosquash operations for different repos can interfere. One
operation can unset GIT_SEQUENCE_EDITOR while another operation is between
setting the variable and starting git rebase --interactive, causing the second
operation to fail or hang waiting for an editor.
Better fix:
Set the environment on the exec.Cmd instance for that single git process
instead of changing the process-global environment.
Status: not valid under real GitHub webhook constraints.
Why:
- The query is built from status event
sha, repository owner, and repository name. - Real GitHub SHAs are hex strings.
- Real GitHub repository owners/names cannot contain the spaces and search
operators used by the PoC, such as
is:merged status:failure. - A synthetic HMAC-signed payload can inject these fields only if the webhook secret is already known. At that point the attacker already has webhook forgery capability.
Assessment:
It is reasonable to validate or quote query components defensively, but the PoC does not show a practical external vulnerability.
- Report VULN-001 as the strongest issue.
- Report VULN-013 as a real unauthenticated DoS risk.
- Include VULN-006 as hardening/compatibility, preferably as a separate lower severity issue.
- Mention VULN-003 only if the program accepts reliability/DoS reports.
- Do not submit VULN-002, VULN-004, or VULN-010 as standalone high-severity findings without stronger evidence.