fix(providers): restrict comment editing to PAC-owned comments

theakshaypant · theakshaypant · commit 58cdfb72e20e · 2026-02-18T16:08:08.000+05:30
Add check to ensure PAC only edits comments created by its own credentials, preventing accidental modification of comments from other users or bot accounts. Jira: https://issues.redhat.com/browse/SRVKP-10857 Signed-off-by: Akshay Pant <akshay.akshaypant@gmail.com> Assisted-by: Claude Sonnet 4.5 (via Claude Code)
diff --git a/pkg/provider/gitea/gitea.go b/pkg/provider/gitea/gitea.go
@@ -64,6 +64,7 @@ type Provider struct {
 	eventEmitter *events.EventEmitter
 	run          *params.Run
 	triggerEvent string
+	pacUserID    int64 // user login used by PAC
 }
 
 func (v *Provider) Client() *forgejo.Client {
@@ -93,6 +94,15 @@ func (v *Provider) CreateComment(_ context.Context, event *info.Event, commit, u
 
 	// List comments of the PR
 	if updateMarker != "" {
+		// Get the UserID for the PAC user.
+		if v.pacUserID == 0 {
+			pacUser, _, err := v.Client().GetMyUserInfo()
+			if err != nil {
+				return fmt.Errorf("unable to fetch user info: %w", err)
+			}
+			v.pacUserID = pacUser.ID
+		}
+
 		comments, _, err := v.Client().ListIssueComments(event.Organization, event.Repository, int64(event.PullRequestNumber), forgejo.ListIssueCommentOptions{})
 		if err != nil {
 			return err
@@ -101,6 +111,14 @@ func (v *Provider) CreateComment(_ context.Context, event *info.Event, commit, u
 		re := regexp.MustCompile(updateMarker)
 		for _, comment := range comments {
 			if re.MatchString(comment.Body) {
+				// Only edit comments created by this PAC installation's credentials.
+				// Prevents accidentally modifying comments from other users/bots.
+				if comment.Poster.ID != v.pacUserID {
+					v.Logger.Debugf("Skipping comment %d: created by user ID %d, PAC user ID is %d",
+						comment.ID, comment.Poster.ID, v.pacUserID)
+					continue
+				}
+
 				_, _, err := v.Client().EditIssueComment(event.Organization, event.Repository, comment.ID, forgejo.EditIssueCommentOption{
 					Body: commit,
 				})
diff --git a/pkg/provider/gitea/gitea_test.go b/pkg/provider/gitea/gitea_test.go
@@ -781,9 +781,12 @@ func TestCreateComment(t *testing.T) {
 			commit:       "Updated Comment",
 			updateMarker: "MARKER",
 			mockResponses: map[string]func(rw http.ResponseWriter, _ *http.Request){
+				"/user": func(rw http.ResponseWriter, _ *http.Request) {
+					fmt.Fprint(rw, `{"id": 100, "login": "pac-user"}`)
+				},
 				"/repos/org/repo/issues/123/comments": func(rw http.ResponseWriter, r *http.Request) {
 					if r.Method == http.MethodGet {
-						fmt.Fprint(rw, `[{"id": 555, "body": "MARKER"}]`)
+						fmt.Fprint(rw, `[{"id": 555, "body": "MARKER", "user": {"id": 100}}]`)
 						return
 					}
 				},
@@ -800,15 +803,42 @@ func TestCreateComment(t *testing.T) {
 			commit:       "New Comment",
 			updateMarker: "MARKER",
 			mockResponses: map[string]func(rw http.ResponseWriter, _ *http.Request){
+				"/user": func(rw http.ResponseWriter, _ *http.Request) {
+					fmt.Fprint(rw, `{"id": 100, "login": "pac-user"}`)
+				},
+				"/repos/org/repo/issues/123/comments": func(rw http.ResponseWriter, r *http.Request) {
+					if r.Method == http.MethodGet {
+						fmt.Fprint(rw, `[{"id": 555, "body": "NO_MATCH", "user": {"id": 200}}]`)
+						return
+					}
+					assert.Equal(t, r.Method, http.MethodPost)
+					rw.WriteHeader(http.StatusCreated)
+					fmt.Fprint(rw, `{}`)
+				},
+			},
+		},
+		{
+			name:         "skip comment from different user and create new",
+			event:        &info.Event{Organization: "org", Repository: "repo", PullRequestNumber: 123},
+			commit:       "Updated Comment",
+			updateMarker: "MARKER",
+			mockResponses: map[string]func(rw http.ResponseWriter, _ *http.Request){
+				"/user": func(rw http.ResponseWriter, _ *http.Request) {
+					fmt.Fprint(rw, `{"id": 100, "login": "pac-user"}`)
+				},
 				"/repos/org/repo/issues/123/comments": func(rw http.ResponseWriter, r *http.Request) {
 					if r.Method == http.MethodGet {
-						fmt.Fprint(rw, `[{"id": 555, "body": "NO_MATCH"}]`)
+						fmt.Fprint(rw, `[{"id": 555, "body": "Old MARKER", "user": {"id": 999}}]`)
 						return
 					}
 					assert.Equal(t, r.Method, http.MethodPost)
 					rw.WriteHeader(http.StatusCreated)
 					fmt.Fprint(rw, `{}`)
 				},
+				"/repos/org/repo/issues/comments/555": func(rw http.ResponseWriter, _ *http.Request) {
+					t.Error("edit endpoint should not be called for comment from different user")
+					rw.WriteHeader(http.StatusOK)
+				},
 			},
 		},
 	}
@@ -817,6 +847,8 @@ func TestCreateComment(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			fakeclient, mux, teardown := tgitea.Setup(t)
 			defer teardown()
+			observer, _ := zapobserver.New(zap.InfoLevel)
+			fakelogger := zap.New(observer).Sugar()
 
 			if tt.clientNil {
 				p := &Provider{}
@@ -829,7 +861,7 @@ func TestCreateComment(t *testing.T) {
 				mux.HandleFunc(endpoint, handler)
 			}
 
-			p := &Provider{giteaClient: fakeclient}
+			p := &Provider{giteaClient: fakeclient, Logger: fakelogger}
 			err := p.CreateComment(context.Background(), tt.event, tt.commit, tt.updateMarker)
 			if tt.wantErr != "" {
 				assert.ErrorContains(t, err, tt.wantErr)
diff --git a/pkg/provider/gitlab/gitlab.go b/pkg/provider/gitlab/gitlab.go
@@ -66,6 +66,7 @@ type Provider struct {
 	// current provider instance lifecycle to avoid repeated API calls.
 	memberCache        map[int64]bool
 	cachedChangedFiles *changedfiles.ChangedFiles
+	pacUserID          int64 // user login used by PAC
 }
 
 var defaultGitlabListOptions = gitlab.ListOptions{
@@ -106,6 +107,15 @@ func (v *Provider) CreateComment(_ context.Context, event *info.Event, commit, u
 		commentRe := regexp.MustCompile(updateMarker)
 		options := []gitlab.RequestOptionFunc{}
 
+		// Get the UserID for the PAC user.
+		if v.pacUserID == 0 {
+			pacUser, _, err := v.Client().Users.CurrentUser()
+			if err != nil {
+				return fmt.Errorf("unable to fetch user info: %w", err)
+			}
+			v.pacUserID = pacUser.ID
+		}
+
 		for {
 			comments, resp, err := v.Client().Notes.ListMergeRequestNotes(event.TargetProjectID, int64(event.PullRequestNumber), &gitlab.ListMergeRequestNotesOptions{ListOptions: defaultGitlabListOptions}, options...)
 			if err != nil {
@@ -114,6 +124,14 @@ func (v *Provider) CreateComment(_ context.Context, event *info.Event, commit, u
 
 			for _, comment := range comments {
 				if commentRe.MatchString(comment.Body) {
+					// Only edit comments created by this PAC installation's credentials.
+					// Prevents accidentally modifying comments from other users/bots.
+					if comment.Author.ID != v.pacUserID {
+						v.Logger.Debugf("Skipping comment %d: created by user ID %d, PAC user ID is %d",
+							comment.ID, comment.Author.ID, v.pacUserID)
+						continue
+					}
+
 					_, _, err := v.Client().Notes.UpdateMergeRequestNote(event.TargetProjectID, int64(event.PullRequestNumber), comment.ID, &gitlab.UpdateMergeRequestNoteOptions{
 						Body: &commit,
 					})
diff --git a/pkg/provider/gitlab/gitlab_test.go b/pkg/provider/gitlab/gitlab_test.go
@@ -1576,9 +1576,12 @@ func TestGitLabCreateComment(t *testing.T) {
 			commit:       "Updated Comment",
 			updateMarker: "MARKER",
 			mockResponses: map[string]func(rw http.ResponseWriter, _ *http.Request){
+				"/user": func(rw http.ResponseWriter, _ *http.Request) {
+					fmt.Fprint(rw, `{"id": 100}`)
+				},
 				"/projects/666/merge_requests/123/notes": func(rw http.ResponseWriter, r *http.Request) {
 					if r.Method == http.MethodGet {
-						fmt.Fprint(rw, `[{"id": 555, "body": "MARKER"}]`)
+						fmt.Fprint(rw, `[{"id": 555, "body": "MARKER", "author": {"id": 100}}]`)
 						return
 					}
 				},
@@ -1595,9 +1598,12 @@ func TestGitLabCreateComment(t *testing.T) {
 			commit:       "New Comment",
 			updateMarker: "MARKER",
 			mockResponses: map[string]func(rw http.ResponseWriter, _ *http.Request){
+				"/user": func(rw http.ResponseWriter, _ *http.Request) {
+					fmt.Fprint(rw, `{"id": 100}`)
+				},
 				"/projects/666/merge_requests/123/notes": func(rw http.ResponseWriter, r *http.Request) {
 					if r.Method == http.MethodGet {
-						fmt.Fprint(rw, `[{"id": 555, "body": "NO_MATCH"}]`)
+						fmt.Fprint(rw, `[{"id": 555, "body": "NO_MATCH", "author": {"id": 200}}]`)
 						return
 					}
 					assert.Equal(t, r.Method, http.MethodPost)
@@ -1606,6 +1612,30 @@ func TestGitLabCreateComment(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:         "skip comment from different user and create new",
+			event:        &info.Event{PullRequestNumber: 123, TargetProjectID: 666},
+			commit:       "Updated Comment",
+			updateMarker: "MARKER",
+			mockResponses: map[string]func(rw http.ResponseWriter, _ *http.Request){
+				"/user": func(rw http.ResponseWriter, _ *http.Request) {
+					fmt.Fprint(rw, `{"id": 100}`)
+				},
+				"/projects/666/merge_requests/123/notes": func(rw http.ResponseWriter, r *http.Request) {
+					if r.Method == http.MethodGet {
+						fmt.Fprint(rw, `[{"id": 555, "body": "Old MARKER", "author": {"id": 999}}]`)
+						return
+					}
+					assert.Equal(t, r.Method, http.MethodPost)
+					rw.WriteHeader(http.StatusCreated)
+					fmt.Fprint(rw, `{}`)
+				},
+				"/projects/666/merge_requests/123/notes/555": func(rw http.ResponseWriter, _ *http.Request) {
+					t.Error("edit endpoint should not be called for comment from different user")
+					rw.WriteHeader(http.StatusOK)
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -1632,6 +1662,7 @@ func TestGitLabCreateComment(t *testing.T) {
 			p := &Provider{
 				sourceProjectID: 666,
 				gitlabClient:    fakeclient,
+				Logger:          logger,
 			}
 			err := p.CreateComment(context.Background(), tt.event, tt.commit, tt.updateMarker)
 			if tt.wantErr != "" {
@@ -1649,6 +1680,9 @@ func TestGitLabCreateCommentPaging(t *testing.T) {
 	commit := "Updated Comment"
 	updateMarker := "MARKER"
 	mockResponses := map[string]func(rw http.ResponseWriter, _ *http.Request){
+		"/user": func(rw http.ResponseWriter, _ *http.Request) {
+			fmt.Fprint(rw, `{"id": 100}`)
+		},
 		"/projects/666/merge_requests/123/notes": func(rw http.ResponseWriter, r *http.Request) {
 			if r.Method == http.MethodGet {
 				page := thelp.SetPagingHeader(t, rw, r, 100)
@@ -1658,7 +1692,7 @@ func TestGitLabCreateCommentPaging(t *testing.T) {
 				} else if page > 10 {
 					t.Error("notes shouldn't be queries past the expected ID")
 				}
-				fmt.Fprintf(rw, `[{"id": %d, "body": "%s"}]`, page, note)
+				fmt.Fprintf(rw, `[{"id": %d, "body": "%s", "author": {"id": 100}}]`, page, note)
 			}
 		},
 		"/projects/666/merge_requests/123/notes/{id}": func(rw http.ResponseWriter, r *http.Request) {
@@ -1676,6 +1710,8 @@ func TestGitLabCreateCommentPaging(t *testing.T) {
 
 	fakeclient, mux, teardown := thelp.Setup(t)
 	defer teardown()
+	observer, _ := zapobserver.New(zap.InfoLevel)
+	logger := zap.New(observer).Sugar()
 
 	for endpoint, handler := range mockResponses {
 		mux.HandleFunc(endpoint, handler)
@@ -1684,6 +1720,7 @@ func TestGitLabCreateCommentPaging(t *testing.T) {
 	p := &Provider{
 		sourceProjectID: 666,
 		gitlabClient:    fakeclient,
+		Logger:          logger,
 	}
 	err := p.CreateComment(context.Background(), event, commit, updateMarker)
 	assert.NilError(t, err)
