Sanitize and lockdown-gate issue_read get_parent title#2780
Open
zwick wants to merge 2 commits into
Open
Conversation
GetIssueParent returned the parent issue title raw and ungated by lockdown mode, so an agent could read an unverified, possibly cross-repo parent title even with lockdown enabled. Always sanitize the parent title and, under lockdown mode, only return the parent when its author has push access to the parent repository, failing closed otherwise. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR closes a security/lockdown gap in issue_read’s get_parent method by ensuring the parent issue title is sanitized and (when lockdown mode is enabled) only returned if the parent author’s content can be verified as safe via push-access checks.
Changes:
- Thread
ToolDependenciesintoGetIssueParentand gate parent emission under lockdown usingRepoAccessCache.IsSafeContent. - Sanitize the returned parent issue
titleunconditionally (parent may be cross-repo). - Expand the GraphQL selection to include the parent author login and add unit tests for lockdown ON/OFF behavior.
Show a summary per file
| File | Description |
|---|---|
| pkg/github/issues.go | Adds sanitization + lockdown safe-content gating to GetIssueParent and threads deps into the handler. |
| pkg/github/issues_test.go | Updates mocked GraphQL shape and adds lockdown-mode test coverage for get_parent. |
Review details
- Files reviewed: 2/2 changed files
- Comments generated: 2
- Review effort level: Low
Embed a U+202E BiDi control char in the mocked parent title so the happy-path assertion fails if Sanitize is removed, and tighten the GetIssueParent comments. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes a pre-existing gap where
issue_readget_parentreturned the parent issue'stitleraw — unsanitized and not gated by lockdown mode at all.Why
Found while reviewing #2764 (which adds parent-issue hierarchy to
issue_readgetand gates the parent reference under lockdown). The siblingget_parenthandler (GetIssueParent) had no such protection, so an agent could read an unverified, possibly cross-repo parent title even with lockdown enabled. This is onmaintoday, independent of #2764, so it's intentionally a separate, minimal PR rather than folded into #2764.What changed
sanitize.Sanitizethe parent title (the parent may be cross-repo).cache.IsSafeContent), mirroringGetIssue; otherwise omit it ({"parent": null}), failing closed.ToolDependenciesintoGetIssueParent.MCP impact
get_parentparent title is now sanitized and gated under lockdown mode. No schema/description change (toolsnap unchanged).Prompts tested (tool changes only)
Security / limits
Tool renaming
Lint & tests
./script/lint./script/testDocs