fix: prevent race condition on issue/PR body edits#710
Conversation
Add trigger-time validation for issue/PR body content to prevent attackers from exploiting a race condition where they edit the body between when an authorized user triggers @claude and when Claude processes the request. The existing filterCommentsToTriggerTime() already protected comments - this extends the same pattern to the main issue/PR body via isBodySafeToUse(). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Code Review SummaryI've completed a comprehensive review of PR #710 using specialized agents for code quality, performance, security, test coverage, and documentation. Overall, this is an excellent PR that implements critical TOCTOU protection with strong test coverage and clear documentation. Security Assessment ✅The TOCTOU (Time-of-Check-Time-of-Use) protection is well-designed and effectively prevents race condition attacks where malicious actors could edit issue/PR bodies after an authorized user triggers Claude. The implementation:
One medium-severity security issue identified: Invalid timestamp handling could bypass protection if malformed data is received. See inline comment for details. Performance Assessment ✅
The security protection actually improves performance by preventing unnecessary image downloads from malicious content. Test Coverage Assessment ✅Excellent test suite with 249 new lines covering:
Recommendations: Add tests for invalid timestamp handling and security warning verification (see inline comments). Code Quality Assessment ✅
Documentation Assessment ✅Documentation is comprehensive and accurate. The JSDoc and inline comments effectively explain the race condition protection logic. Minor improvement suggested: add complete JSDoc parameters to Action ItemsRequired before merge:
Recommended enhancements: See inline comments for specific implementation suggestions. |
…#710) Add trigger-time validation for issue/PR body content to prevent attackers from exploiting a race condition where they edit the body between when an authorized user triggers @claude and when Claude processes the request. The existing filterCommentsToTriggerTime() already protected comments - this extends the same pattern to the main issue/PR body via isBodySafeToUse(). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
Issue/PR comments (anthropics#512) and the issue/PR body (anthropics#710) are filtered to the trigger timestamp so content created or edited after an authorized trigger cannot be injected into Claude's prompt (TOCTOU protection). Reviews and inline review comments were not: fetchGitHubData returned reviewData filtered by actor only, and formatReviewComments renders it into the prompt, so a review submitted or edited after the trigger reached Claude verbatim. filterReviewsToTriggerTime already existed (added alongside the comment filter in anthropics#512) but was only wired to the image-download list, never to the returned reviewData. Apply filterReviewsToTriggerTime to reviewData.nodes and filterCommentsToTriggerTime to each review's inline comments, alongside the existing actor filter. Strengthen the two integration tests to assert that post-trigger and edited-after reviews/comments are dropped.
Issue/PR comments (anthropics#512) and the issue/PR body (anthropics#710) are filtered to the trigger timestamp so content created or edited after an authorized trigger cannot be injected into Claude's prompt (TOCTOU protection). Reviews and inline review comments were not: fetchGitHubData returned reviewData filtered by actor only, and formatReviewComments renders it into the prompt, so a review submitted or edited after the trigger reached Claude verbatim. filterReviewsToTriggerTime already existed (added alongside the comment filter in anthropics#512) but was only wired to the image-download list, never to the returned reviewData. Filter reviewData.nodes through filterReviewsToTriggerTime and each review's inline comments through filterCommentsToTriggerTime, alongside the existing actor filter, then build the review image-processing lists from those already-filtered nodes (removing a now-redundant second filter pass). Strengthen the two integration tests to assert post-trigger and edited-after reviews/comments are dropped.
Issue/PR comments (anthropics#512) and the issue/PR body (anthropics#710) are filtered to the trigger timestamp so content created or edited after an authorized trigger cannot be injected into Claude's prompt (TOCTOU protection). Reviews and inline review comments were not: fetchGitHubData returned reviewData filtered by actor only, and formatReviewComments renders it into the prompt, so a review submitted or edited after the trigger reached Claude verbatim. filterReviewsToTriggerTime already existed (added alongside the comment filter in anthropics#512) but was only wired to the image-download list, never to the returned reviewData. Filter reviewData.nodes through filterReviewsToTriggerTime and each review's inline comments through filterCommentsToTriggerTime, alongside the existing actor filter, then build the review image-processing lists from those already-filtered nodes (removing a now-redundant second filter pass). Strengthen the two integration tests to assert post-trigger and edited-after reviews/comments are dropped.
) Issue/PR comments (#512) and the issue/PR body (#710) are filtered to the trigger timestamp so content created or edited after an authorized trigger cannot be injected into Claude's prompt (TOCTOU protection). Reviews and inline review comments were not: fetchGitHubData returned reviewData filtered by actor only, and formatReviewComments renders it into the prompt, so a review submitted or edited after the trigger reached Claude verbatim. filterReviewsToTriggerTime already existed (added alongside the comment filter in #512) but was only wired to the image-download list, never to the returned reviewData. Filter reviewData.nodes through filterReviewsToTriggerTime and each review's inline comments through filterCommentsToTriggerTime, alongside the existing actor filter, then build the review image-processing lists from those already-filtered nodes (removing a now-redundant second filter pass). Strengthen the two integration tests to assert post-trigger and edited-after reviews/comments are dropped.
Add trigger-time validation for issue/PR body content to prevent attackers from exploiting a race condition where they edit the body between when an authorized user triggers @claude and when Claude processes the request.
The existing filterCommentsToTriggerTime() already protected comments - this extends the same pattern to the main issue/PR body via isBodySafeToUse().
🤖 Generated with Claude Code