Fix Claude Review error#100
Conversation
Signed-off-by: Quanyi Ma <[email protected]>
|
Claude finished @genedna's task in 1m 13s —— View job Code Review
This PR makes two changes to
Security
allowed_non_write_users: "*"This allows any GitHub user (including external contributors and the public) to trigger Claude via
The
Before: After: The new The original was restrictive by design — specifying only the minimum Recommendation: Identify which specific tools caused the error and add only those to the allowlist rather than using open-ended wildcards. For example: claude_args: |
--allowedTools "mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api:*)"Summary
The fix resolves the immediate error but trades specificity for permissiveness. For a workflow running with repository secrets, tightening the tool scope is recommended. |
There was a problem hiding this comment.
Pull request overview
This pull request modifies the Claude code review workflow to address errors, but makes two significant security-related changes that dramatically expand access and capabilities. The PR title suggests this is fixing an error, but the changes introduce new security considerations rather than simple bug fixes.
Changes:
- Added
allowed_non_write_users: "*"to allow any user (including those without repository write access) to trigger Claude reviews - Broadened the
--allowedToolsparameter from an explicit whitelist of specific commands to wildcard patterns that allow all GitHub MCP tools and all gh CLI commands
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| allowed_non_write_users: "*" |
There was a problem hiding this comment.
Setting allowed_non_write_users to "*" allows anyone (including external contributors without write access) to trigger Claude code reviews by mentioning @claude in comments. This could enable malicious actors to:
- Trigger expensive Claude API calls, leading to cost abuse
- Potentially extract sensitive information from the codebase through carefully crafted prompts
- Use the workflow as a resource exhaustion vector
If this is intentional for an open-source project, consider adding rate limiting or restricting this to specific users/organizations instead of a wildcard. If not intentional, remove this line to use the default behavior which typically restricts triggering to users with write access.
| allowed_non_write_users: "*" |
| # Restrict tools that Claude can use during the review | ||
| claude_args: | | ||
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" | ||
| --allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)" |
There was a problem hiding this comment.
The allowedTools parameter has been broadened from specific commands to wildcard patterns. The previous configuration explicitly restricted Claude to only:
- create_inline_comment for GitHub
- gh pr comment, gh pr diff, gh pr view for Bash
The new configuration allows:
- ALL mcp__github__ tools (not just inline comments)
- ALL mcp__github_inline_comment__ operations
- ALL gh commands (not just pr-related ones)
This significantly expands Claude's capabilities and could allow unintended actions like creating/deleting branches, merging PRs, modifying workflow files, or running arbitrary gh commands. The original restrictive approach was more secure. Unless there's a specific need for these additional capabilities, revert to the explicit whitelist or carefully enumerate only the required tools.
| --allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)" | |
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh(pr comment,pr diff,pr view))" |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ea558cee58
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Restrict tools that Claude can use during the review | ||
| claude_args: | | ||
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" | ||
| --allowedTools "mcp__github__,mcp__github_inline_comment__,Bash(gh)" |
There was a problem hiding this comment.
In the workflow section I inspected (.github/workflows/claude-review.yml), changing --allowedTools to Bash(gh) grants Claude access to run any GitHub CLI command, while this job’s token still has pull-requests: write, issues: write, and actions: write. That materially expands the blast radius from “review/comment” into repository mutation if the model is steered by untrusted PR content or prompt injection; the allowlist should stay scoped to the minimal gh subcommands required for review.
Useful? React with 👍 / 👎.
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| allowed_non_write_users: "*" |
There was a problem hiding this comment.
Setting allowed_non_write_users: "*" in this pull_request_target review job opens invocation to all non-write users, including external contributors, while the run uses a write-scoped GITHUB_TOKEN and a paid Anthropic API key. This introduces an abuse path (cost amplification and write-capable automation by untrusted actors) that did not exist with a constrained allowlist, so the list should be explicit and limited to trusted users.
Useful? React with 👍 / 👎.
Signed-off-by: Quanyi Ma <[email protected]>
No description provided.