tools/go-cuckoo
1
0
Fork 0
Code Issues 2 Pull Requests Actions Releases 4 Wiki Activity

fix: check-pr-title job has prompt injection #18

Merged
mvhutz merged 1 commits from fix/prompt-injection-pr-title into main 2026-04-03 14:47:01 +00:00
Conversation 0 Commits 1 Files Changed 1 +3 -1
mvhutz commented 2026-04-03 14:44:30 +00:00
Owner
Copy Link

Description

Currently, the check-pr-title job has a security vulnerability. If you give the PR a bad title, the job can run arbitrary code.

Changes

  • Fix prompt injection by pulling the PR title as an environment variable.
  • Also, restricted the job to only pull_request trigger.

Design Decisions

  • It is better to pull out this job into a separate workflow with a unique trigger, but I chose not to because it is currently only one job.

Checklist

  • Tests pass
  • Docs updated
## Description Currently, the `check-pr-title` job has a security vulnerability. If you give the PR a bad title, the job can run arbitrary code. ## Changes - Fix prompt injection by pulling the PR title as an environment variable. - Also, restricted the job to only `pull_request` trigger. ### Design Decisions - It is better to pull out this job into a separate workflow with a unique trigger, but I chose not to because it is currently only one job. ## Checklist - [x] Tests pass - [x] Docs updated
mvhutz added 1 commit 2026-04-03 14:44:30 +00:00
fix: pr-title job has prompt injection
All checks were successful
CI / Check PR Title (pull_request) Successful in 19s
Details
CI / Go Lint (pull_request) Successful in 37s
Details
CI / Makefile Lint (pull_request) Successful in 35s
Details
CI / Markdown Lint (pull_request) Successful in 22s
Details
CI / Unit Tests (pull_request) Successful in 34s
Details
CI / Fuzz Tests (pull_request) Successful in 1m6s
Details
CI / Mutation Tests (pull_request) Successful in 1m18s
Details
39c2f044bc 
- Also, only run on PR template.
mvhutz merged commit ed30a4fc7c into main 2026-04-03 14:47:01 +00:00
mvhutz deleted branch fix/prompt-injection-pr-title 2026-04-03 14:47:01 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
mvhutz
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: tools/go-cuckoo#18
Delete Branch "fix/prompt-injection-pr-title"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?