Skip to content

[Retest #3751918] Issue title injection still present in agent-triage.yml and agent-fix.yml#2348

Open
subchatsecure wants to merge 1 commit into
Shopify:mainfrom
subchatsecure:retest/3751918-title-injection-unfixed
Open

[Retest #3751918] Issue title injection still present in agent-triage.yml and agent-fix.yml#2348
subchatsecure wants to merge 1 commit into
Shopify:mainfrom
subchatsecure:retest/3751918-title-injection-unfixed

Conversation

@subchatsecure

@subchatsecure subchatsecure commented Jun 25, 2026

Copy link
Copy Markdown

Retest of HackerOne Report #3751918

Retested by: @subchatsecure
Date: 2026-06-26
Verdict: Vulnerability NOT fixed

What I checked

Both agent workflow files were pulled from main on 2026-06-26 and compared against the original report.

agent-triage.yml — Still Vulnerable

Line 39–40 on current main:

prompt: |
  Triage issue #${{ github.event.issue.number }}.
  Title: ${{ github.event.issue.title }}    ← attacker-controlled, injected verbatim

The only change observed is a new proxy content-filter header:

env:
  ANTHROPIC_BASE_URL: https://proxy.shopify.ai/vendors/anthropic
  ANTHROPIC_CUSTOM_HEADERS: |-
    Shopify-Security-Scan: paranoid-path-template
    Shopify-Security-Scan-Mode: block

This is not a fix — the root cause (attacker-controlled text interpolated directly into the prompt at the YAML level) is unchanged. A server-side filter does not remove the injection surface.

No author_association check on the labeled trigger path.

agent-fix.yml — Still Vulnerable (highest severity, zero changes)

Line 84–85 on current main:

prompt: |
  There is no human to confirm with — act autonomously.
  TITLE: ${{ github.event.issue.title }}    ← attacker-controlled, injected verbatim

This workflow retains:

  • contents: write, pull-requests: write, issues: write permissions
  • Bash(git push -u *), Bash(gh pr *), Bash(GH_TOKEN=* gh pr *)
  • AGENT_PR_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
  • No Shopify-Security-Scan header — not even the partial mitigation from agent-triage.yml
  • No author_association check on the labeled trigger path

Evidence file

See RETEST-3751918.md in this branch for the full side-by-side comparison with proposed correct fix.

Conclusion

The reported vulnerability is not fixed. Both workflows continue to inject ${{ github.event.issue.title }} directly into the Claude agent prompt. agent-fix.yml, which has full code write + PR creation access, has received zero changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@subchatsecure