Skip to content

fix(integrations): don't persist unverified GitHub installation_id (CS-710)#3370

Merged
tofikwest merged 1 commit into
mainfrom
tofik/cs-710-drop-installation-id
Jul 7, 2026
Merged

fix(integrations): don't persist unverified GitHub installation_id (CS-710)#3370
tofikwest merged 1 commit into
mainfrom
tofik/cs-710-drop-installation-id

Conversation

@tofikwest

@tofikwest tofikwest commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What & why

The GitHub App install callback returns an installation_id. GitHub's own docs state this value should not be trusted — it can be spoofed on the callback URL. The initial github-app integration stored it on the connection's metadata, but nothing in the codebase reads it (verified: written in one place, read in zero). It was unused data that a future installation-token flow could later trust unsafely.

This removes the storage so there's no untrusted value sitting around waiting to be trusted.

Follow-up to CS-710 (cubic flagged it on the production deploy PR #3364).

Changes

  • Remove the installation_id persistence block from the OAuth callback.
  • Remove the now-unused installation_id / setup_action fields from the callback query type.
  • Remove the obsolete test.
  • Leave a NOTE at the call site explaining the decision, so it isn't naively re-added.

No behavior change

The integration authenticates with the OAuth user token (obtained from the code exchange), which is untouched. Connect, token storage, and all checks work identically. The removed field was never used, so this is a no-op functionally.

If installation-token auth is added later

Resolve the installation via GET /user/installations with the user token — which also proves the user owns it — rather than trusting the callback value. (This is GitHub's recommended approach.)

Verification

  • oauth.controller.spec: 21 pass
  • No typecheck errors in changed files; prettier clean
  • Grep confirms zero remaining reads/writes of githubInstallationId

🤖 Generated with Claude Code


Summary by cubic

Stop storing the GitHub App installation_id from the OAuth callback to avoid persisting spoofable data; no behavior change to auth or connect flows. Aligns with CS-710 by tightening the GitHub App migration to least-privilege, trusted data only.

  • Bug Fixes
    • Removed persistence of installation_id/setup_action on connections, deleted unused query fields and obsolete test.
    • Added a code note: do not trust callback installation_id; if installation-token auth is added later, resolve via GET /user/installations with the user token.

Written for commit b72ae40. Summary will update on new commits.

Review in cubic

The GitHub App install callback returns an `installation_id`, which GitHub's
own docs document as not trustworthy (it can be spoofed on the callback URL).
The previous code stored it on the connection metadata, but nothing reads it
anywhere, so it was unused data that a future installation-token flow could
later trust unsafely.

Remove the storage (and its now-unused query fields + test). If GitHub App
installation-token auth is added later, resolve the installation via
`GET /user/installations` with the user token — which also proves the user
owns it — instead of trusting the callback value. No behavior change: the
integration authenticates with the OAuth user token, which is unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XyttkYNbkdYRp7DBKNuFVH
@linear

linear Bot commented Jul 7, 2026

Copy link
Copy Markdown

CS-710

@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
comp-framework-editor Ready Ready Preview, Comment Jul 7, 2026 9:13pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
app Skipped Skipped Jul 7, 2026 9:13pm
portal Skipped Skipped Jul 7, 2026 9:13pm

Request Review

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@tofikwest tofikwest merged commit 9c6f6fa into main Jul 7, 2026
11 checks passed
@tofikwest tofikwest deleted the tofik/cs-710-drop-installation-id branch July 7, 2026 21:15
claudfuen pushed a commit that referenced this pull request Jul 7, 2026
# [3.99.0](v3.98.1...v3.99.0) (2026-07-07)

### Bug Fixes

* **integrations:** don't persist unverified GitHub installation_id ([#3370](#3370)) ([9c6f6fa](9c6f6fa))
* **isms:** lock before writing control links so edits serialize with approve ([#3369](#3369)) ([a21f866](a21f866))
* **isms:** production-deploy review follow-ups (CS-701) ([#3365](#3365)) ([d756d4a](d756d4a)), closes [#3364](#3364)
* **isms:** serialize approve against ALL register/content edits (central lock) ([#3367](#3367)) ([5c88a3d](5c88a3d))
* **isms:** serialize approve/decline to prevent concurrent double-publish (CS-701) ([#3366](#3366)) ([b158bc9](b158bc9)), closes [#3364](#3364)

### Features

* **integrations:** add read-only GitHub App integration (CS-710) ([#3363](#3363)) ([a5a9243](a5a9243))
* **isms:** document versioning and history (CS-701) ([#3361](#3361)) ([d95dc2e](d95dc2e))
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.99.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants