Skip to content

fix(#97): validate client_payload.host in dispatch workflow#168

Merged
mvillmow merged 1 commit into
mainfrom
97-auto-impl
Jun 29, 2026
Merged

fix(#97): validate client_payload.host in dispatch workflow#168
mvillmow merged 1 commit into
mainfrom
97-auto-impl

Conversation

@mvillmow

@mvillmow mvillmow commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Eliminate unvalidated forwarding of repository_dispatch client_payload.host to dispatch-apply.sh. Introduce RFC 1123 format validation + allowlist enforcement in two layers:

  1. Primary trust boundary: .github/workflows/cross-repo-dispatch.yml validates the inbound payload before dispatch
  2. Defence-in-depth: scripts/dispatch-apply.sh re-validates the host (covers local just dispatch-apply calls too)

Both layers use a shared validation helper (scripts/validate-host.sh) that checks:

  • Format: RFC 1123-compliant hostname (rejects shell metacharacters, control chars, whitespace)
  • Allowlist: Host must exist in configs/allowed-hosts.txt

Test Plan

  • All 5 integration test cases pass (bash tests/dispatch-apply.test.sh)
  • Shell metacharacter payload (hermes;id) rejected at format check
  • Non-allowlisted host (attacker-host) rejected at allowlist check
  • Workflow YAML parses and is valid
  • Commit is cryptographically signed

Follow-ups

One core follow-up item identified during implementation:

  • Wire dispatch-apply tests into CI — The validation tests were created but not integrated into the integration-tests job. Added in follow-up commit 6a851c5.

Closes #97

@mvillmow mvillmow force-pushed the 97-auto-impl branch 2 times, most recently from e3cc994 to 62230ac Compare June 28, 2026 17:12
@mvillmow mvillmow enabled auto-merge (squash) June 28, 2026 18:46
@mvillmow
fix(#97): validate client_payload.host in dispatch workflow
afe3114 
Eliminate unvalidated forwarding of repository_dispatch client_payload.host
to dispatch-apply.sh. Introduce RFC 1123 format check + allowlist enforcement
in two layers (primary: workflow step; defense-in-depth: dispatch-apply.sh).

Changes:
- Add configs/allowed-hosts.txt: Myrmidons target host allowlist
- Add scripts/validate-host.sh: Shared validation helper (format + allowlist)
- Modify scripts/dispatch-apply.sh: Source validate-host.sh after HOST check
- Add tests/dispatch-apply.test.sh: 5 integration test cases
- Modify .github/workflows/cross-repo-dispatch.yml: Validate host before dispatch
- Add docs/dispatch-contract.md: Specification of dispatch contract

Closes #97

Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
@mvillmow mvillmow merged commit a2602c5 into main Jun 29, 2026
19 checks passed
@mvillmow mvillmow deleted the 97-auto-impl branch June 29, 2026 00:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:implementation-no-go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[MAJOR] §8: cross-repo-dispatch.yml passes untrusted client_payload.host to dispatch-apply.sh without validation

1 participant

@mvillmow