From b9cbc5baee827c05e4fe02d2ed98a5397366095c Mon Sep 17 00:00:00 2001
From: Kazuki Yamada <koukun0120@gmail.com>
Date: Sat, 7 Mar 2026 01:09:21 +0900
Subject: [PATCH] fix(ci): Restrict allowedTools to current issue number in
 Claude workflows

An external user (AlexNova-ops) attempted prompt injection attacks against
Claude triage bots via issue #1202. While the GitHub token permissions
already limited the blast radius to issue operations only, the allowedTools
configuration allowed gh commands to target any issue number, meaning a
successful prompt injection could modify other issues.

This change restricts gh issue view, gh issue edit, and gh issue comment
commands to only operate on the current issue number
(${{ github.event.issue.number }}), preventing cross-issue manipulation
even if prompt injection succeeds.
---
 .github/workflows/claude-issue-similar.yml | 2 +-
 .github/workflows/claude-issue-triage.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-issue-similar.yml b/.github/workflows/claude-issue-similar.yml
index 1c3a9319a..c6784bde6 100644
--- a/.github/workflows/claude-issue-similar.yml
+++ b/.github/workflows/claude-issue-similar.yml
@@ -28,7 +28,7 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           allowed_non_write_users: "*"
-          claude_args: '--model opus --allowedTools "Bash(gh issue view:*),Bash(gh issue comment:*),Bash(gh search:*)"'
+          claude_args: '--model opus --allowedTools "Bash(gh issue view ${{ github.event.issue.number }}:*),Bash(gh issue comment ${{ github.event.issue.number }}:*),Bash(gh search:*)"'
           prompt: |
             You're an assistant that finds similar issues in the repository.
 
diff --git a/.github/workflows/claude-issue-triage.yml b/.github/workflows/claude-issue-triage.yml
index 4619ef51d..87ceb234c 100644
--- a/.github/workflows/claude-issue-triage.yml
+++ b/.github/workflows/claude-issue-triage.yml
@@ -28,7 +28,7 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           allowed_non_write_users: "*"
-          claude_args: '--model opus --allowedTools "Bash(gh label list:*),Bash(gh issue view:*),Bash(gh issue edit:*),Bash(gh search:*)"'
+          claude_args: '--model opus --allowedTools "Bash(gh label list:*),Bash(gh issue view ${{ github.event.issue.number }}:*),Bash(gh issue edit ${{ github.event.issue.number }}:*),Bash(gh search:*)"'
           prompt: |
             You're an issue triage assistant for the Repomix repository. Your task is to analyze the issue and select appropriate labels from the repository's label list.