chore(github): Add GitHub workflow for framework updates digest#21681
chore(github): Add GitHub workflow for framework updates digest#21681s1gr1d wants to merge 3 commits into
Conversation
ce73e4a to
4304790
Compare
| if published is None or published < since: | ||
| continue | ||
| body = rel.get("body") or "" | ||
| body = sanitize_untrusted_text((rel.get("body") or "")[:MAX_BODY_CHARS]) |
There was a problem hiding this comment.
Bug: The release body is truncated before sanitization, which can allow a prompt injection payload to bypass security filters if it's split by the truncation.
Severity: HIGH
Suggested Fix
Reverse the order of operations. First, sanitize the entire release body using sanitize_untrusted_text, and then truncate the sanitized output to MAX_BODY_CHARS.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: .agents/skills/track-framework-updates/scripts/fetch_releases.py#L55
Potential issue: In `fetch_releases.py`, the release body from `rel.get("body")` is
truncated to `MAX_BODY_CHARS` characters before it is sanitized by
`sanitize_untrusted_text`. The sanitization function uses regular expressions to find
and remove prompt injection keywords. If a malicious payload is placed near the
truncation boundary, a keyword like "instructions" could be cut in half. The resulting
partial keyword will not be matched by the sanitization regex, allowing the prompt
injection to bypass the security filter.
Did we get this right? 👍 / 👎 to inform future reviews.
| @@ -32,7 +32,7 @@ | |||
| from typing import Any | |||
| from xml.etree import ElementTree | |||
|
|
|||
There was a problem hiding this comment.
RSS item URL field reaches Claude agent unsanitized, enabling prompt injection
The url field parsed from third-party RSS entries is included raw in the JSON output consumed by the Claude agent while the sibling title field is passed through sanitize_untrusted_text, so a malicious or compromised RSS feed can smuggle injection directives into the agent via the <link> element. Apply sanitize_untrusted_text to url (and publishedAt) as well.
Evidence
- In
collect()(fetch_rss.py line 166-167),titleis wrapped insanitize_untrusted_text(item["title"])but the next line emits"url": item["url"]with no sanitization. parse_feedsetsurlfrom the raw text of the RSS<link>element (or Atom link href) — arbitrary feed-provider-controlled text, not validated as a real URL;_common._validate_frameworkonly checks that the configured feed URL in sources.json uses HTTPS, never the fetched content.- The workflow
.github/workflows/track-framework-updates.ymlfeeds this JSON (via collect_updates.py) toanthropics/claude-code-actionwithReadandWritetools enabled, so injected directives inurlcould influence the agent's file reads/writes. sanitize_untrusted_textwas introduced specifically to defend RSS content against prompt injection, making the unsanitizedurlfield an inconsistent gap in the intended boundary.
Identified by Warden security-review · AYS-H4N
Adds the GitHub action which will run on a schedule (in the future - now this is commented out for testing).
Also adds some security guards against prompt injection when we deal with external data like RSS feeds.
Linear Reference: https://linear.app/getsentry/issue/JSSDK-4/create-github-action-for-framework-release-monitoring