[SECURITY] `/format` CI command allows arbitrary code execution via untrusted fork PRs

[Tamcodes4]

Description

.github/workflows/format-command.yml triggers on issue_comment with no authorization check on the commenter, then checks out the PR head's fork branch and runs npx prettier --write . inside a job holding contents: write and a live GITHUB_TOKEN, before auto-committing and pushing back to the base repo.

Steps to Reproduce

1. Fork the repo and open a PR from the fork containing a malicious .prettierrc.js (Prettier configs are JS and execute on load, e.g. one that runs require('child_process').exec(...)).
2. Comment /format on your own PR.
3. The workflow checks out your fork's branch and runs your config with contents: write + GITHUB_TOKEN permissions, then commits the result back to the base repo.

Expected Behavior

Only maintainers/collaborators should be able to trigger a workflow that runs code from a PR branch with write access to the repo.

Actual Behavior

Any GitHub account, including the PR author on their own fork PR, can trigger this job. The if: condition only checks contains(github.event.comment.body, '/format'), with no check on github.event.comment.user.login or author_association.

Root Cause

if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/format')
permissions:
  contents: write
  pull-requests: write
  issues: write
steps:
  - uses: actions/checkout@v4
    with:
      repository: ${{ fromJSON(steps.pr.outputs.result).head.repo.full_name }}
      ref: ${{ fromJSON(steps.pr.outputs.result).head.ref }}
      token: ${{ secrets.GITHUB_TOKEN }}
  - run: npx prettier --write .
  - uses: stefanzweifel/git-auto-commit-action@v5

This is the classic "pwn request" anti-pattern: untrusted fork content is checked out and executed inside a job that holds write-scoped secrets.

Suggested Fix

Gate the job on commenter authorization:

if: |
  github.event.issue.pull_request != '' &&
  contains(github.event.comment.body, '/format') &&
  (github.event.comment.author_association == 'OWNER' ||
   github.event.comment.author_association == 'MEMBER' ||
   github.event.comment.author_association == 'COLLABORATOR')

Alternatively, replace this with a maintained slash-command dispatcher (e.g. peter-evans/slash-command-dispatch) that handles authorization correctly.

Affected Files

• .github/workflows/format-command.yml

[github-actions]

Thank you for opening an issue.

Please review our CONTRIBUTING.md guidelines before getting started.

A maintainer will review this issue shortly. If you would like to work on the issue yourself, please leave a comment requesting assignment.

Issue Assignment Policy

• The issue creator is given the first priority to work on their issue.
• If the creator declines or does not request assignment, the issue will be assigned to others in the order of requests received.
• Please do not submit PRs or begin work until you are officially assigned.

Note: This project is currently maintained by a solo maintainer, so reviews, assignments, and responses may sometimes take a little time. Thanks for your patience.

[Tamcodes4]

Hi, I would like to work on this issue. Kindly assign it to me under Gssoc26!

[jagdish-15]

@Tamcodes4

I think it would be better to move ahead with peter-evans/slash-command-dispatch rather than adding authorisation checks to the current workflow, since our CONTRIBUTING.md and related documentation already reference that approach.

I'll assign this to you. Feel free to raise a PR when possible