Skip to content

Harden /deploy-preview against TOCTOU SHA swaps#5

Open
JaredStowell wants to merge 1 commit intomainfrom
codex/fix-mutable-pr-head-sha-vulnerability
Open

Harden /deploy-preview against TOCTOU SHA swaps#5
JaredStowell wants to merge 1 commit intomainfrom
codex/fix-mutable-pr-head-sha-vulnerability

Conversation

@JaredStowell
Copy link
Owner

@JaredStowell JaredStowell commented Mar 7, 2026

Motivation

  • The /deploy-preview slash-command previously fetched the PR head SHA at runtime and used it for deploys, creating a TOCTOU window where a malicious PR author could push new commits after a maintainer approved and cause unreviewed code to run with deploy secrets.

Description

  • Require maintainers to include an explicit 40-character commit SHA in the comment, using the format /deploy-preview <full-40-char-commit-sha>.
  • Parse the comment body inside the check job and extract the requested SHA, failing the job when the usage is incorrect.
  • Verify the requested SHA belongs to the target PR by enumerating PR commits with pulls.listCommits (via github.paginate) and fail if the SHA is not present.
  • Replace the previous pr.data.head.sha output with the validated, pinned SHA so downstream checkout, build, deploy, and smoke-test jobs operate on the exact reviewed commit.

Testing

  • Ran pnpm exec prettier --check .github/workflows/deploy-preview-command.yml which succeeded, confirming workflow formatting.
  • The modified workflow logic is limited to the GitHub Actions script and includes runtime validation to fail safely on bad usage; no other automated tests were changed.

Codex Task

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 7, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e76965a21

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/deploy-preview-command.yml
Comment on lines +66 to +70
const commits = await github.paginate(github.rest.pulls.listCommits, {
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
per_page: 100,
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid using truncated PR commit list for SHA validation

This validation can reject legitimate deploys on large PRs because pulls.listCommits is capped by GitHub (the endpoint does not provide an unbounded commit history for very large PRs), so commitShas.has(requestedSha) may fail even when the SHA is actually in the PR. In that case maintainers cannot run /deploy-preview <sha> for older commits in large PRs, which is a regression from the intended “any PR commit” pinning behavior.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JaredStowell