rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

bug: doc-map config loaded from PR branch (untrusted) — potential data exfiltration #143

New Issue
Closed
opened 2026-05-15 05:03:36 +00:00 by rodin · 1 comment
rodin commented 2026-05-15 05:03:36 +00:00
Owner
Copy Link
Copy Source

Summary

The validate-docmap and doc-map injection features read the doc-map YAML config from the PR branch, not the default/trusted branch. A malicious PR author can modify the doc-map in their branch to cause arbitrary repo documents to be fetched from the default branch and injected into LLM requests.

Impact

  • Severity: MAJOR / Security
  • Found by: security-review-bot on PR #138 (REQUEST_CHANGES)
  • Merged despite finding: Yes — PR #138 was merged with this unresolved

Attack vector

  1. Attacker opens a PR
  2. Modifies .review-bot/doc-map.yml in their branch to map any path glob to sensitive docs (e.g., docs/internal/secrets.md)
  3. review-bot reads the doc-map from the PR branch
  4. Sensitive docs from the default branch are fetched and injected into the LLM system prompt
  5. Via prompt injection in the design docs, attacker could potentially exfiltrate content

Fix

The doc-map config file must always be loaded from the default branch (or a pinned trusted ref), never from the PR branch. The PR branch should only contribute the list of changed files — not the config that governs what docs get injected.

References

  • PR #138 security-review-bot review: REQUEST_CHANGES with this finding
  • Affects: review/docmap.go, action inputs, CLI flag handling
## Summary The `validate-docmap` and doc-map injection features read the doc-map YAML config from the **PR branch**, not the default/trusted branch. A malicious PR author can modify the doc-map in their branch to cause arbitrary repo documents to be fetched from the default branch and injected into LLM requests. ## Impact - **Severity:** MAJOR / Security - **Found by:** security-review-bot on PR #138 (REQUEST_CHANGES) - **Merged despite finding:** Yes — PR #138 was merged with this unresolved ## Attack vector 1. Attacker opens a PR 2. Modifies `.review-bot/doc-map.yml` in their branch to map any path glob to sensitive docs (e.g., `docs/internal/secrets.md`) 3. review-bot reads the doc-map from the PR branch 4. Sensitive docs from the **default branch** are fetched and injected into the LLM system prompt 5. Via prompt injection in the design docs, attacker could potentially exfiltrate content ## Fix The doc-map config file must always be loaded from the **default branch** (or a pinned trusted ref), never from the PR branch. The PR branch should only contribute the list of changed files — not the config that governs what docs get injected. ## References - PR #138 security-review-bot review: REQUEST_CHANGES with this finding - Affects: `review/docmap.go`, action inputs, CLI flag handling
rodin commented 2026-05-15 08:16:54 +00:00
Author
Owner
Copy Link
Copy Source

🔍 Triage note (from DESIGN-137-doc-map.md):

The design doc states:

The doc-map YAML file is read from the local workspace (like system-prompt-file).

In CI, "local workspace" is the checked-out PR branch. The design doc describes GetAllFilesInPath and GetFileContent fetching docs via VCS API — but the config itself comes from the workspace.

Affected components per design:

  • review/docmap.go — YAML parsing, glob matching, doc loading
  • cmd/review-bot/main.go — Step 6c: parses config
  • action.ymldoc-map input wired to DOC_MAP_FILE

Fix approach: load .review-bot/doc-map.yml via VCS API from the default branch (like patterns-repo fetch) instead of from the local workspace. This may require a new flag or env var for "trusted ref".

**🔍 Triage note (from DESIGN-137-doc-map.md):** The design doc states: > The `doc-map` YAML file is read from the local workspace (like `system-prompt-file`). In CI, "local workspace" is the checked-out PR branch. The design doc describes `GetAllFilesInPath` and `GetFileContent` fetching docs via VCS API — but the *config* itself comes from the workspace. Affected components per design: - `review/docmap.go` — YAML parsing, glob matching, doc loading - `cmd/review-bot/main.go` — Step 6c: parses config - `action.yml` — `doc-map` input wired to `DOC_MAP_FILE` Fix approach: load `.review-bot/doc-map.yml` via VCS API from the default branch (like patterns-repo fetch) instead of from the local workspace. This may require a new flag or env var for "trusted ref".
rodin closed this issue 2026-05-15 12:09:20 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
ai-review
bug
needs-review
ready
Ready for human review
 self-reviewed
Self-review passed since last push
 wip
Work in progress - do not start new work on this PR
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
security-review-bot rodin (Rodin)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: rodin/review-bot#143
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?