Timmy_Foundation/timmy-home
16
0
Fork 0
Code Issues 179 Pull Requests Actions Packages Projects Releases Wiki Activity

[SECURITY] Task router: add author whitelist #132

New Issue
Closed
opened 2026-03-31 01:40:15 +00:00 by Timmy · 0 comments
Timmy commented 2026-03-31 01:40:15 +00:00
Owner
Copy Link

From Audit #131 — Severity: CRITICAL

The task router (uni-wizard/daemons/task_router.py) processes ALL issues assigned to Timmy regardless of who created them. Anyone with Gitea write access can inject tasks.

Fix

Add author validation in _process_issue():

ALLOWED_AUTHORS = {"Rockachopa", "Timmy", "ezra", "allegro"}

def _process_issue(self, issue):
    author = issue.get("user", {}).get("login", "")
    if author not in ALLOWED_AUTHORS:
        self._log_event("rejected", {"number": issue["number"], "author": author, "reason": "not in whitelist"})
        return
    # ... rest of processing

Acceptance Criteria

  • Only issues from whitelisted authors are processed
  • Rejected issues are logged with author and reason
  • Whitelist is configurable (not hardcoded deep in the function)
## From Audit #131 — Severity: CRITICAL The task router (`uni-wizard/daemons/task_router.py`) processes ALL issues assigned to Timmy regardless of who created them. Anyone with Gitea write access can inject tasks. ## Fix Add author validation in `_process_issue()`: ```python ALLOWED_AUTHORS = {"Rockachopa", "Timmy", "ezra", "allegro"} def _process_issue(self, issue): author = issue.get("user", {}).get("login", "") if author not in ALLOWED_AUTHORS: self._log_event("rejected", {"number": issue["number"], "author": author, "reason": "not in whitelist"}) return # ... rest of processing ``` ## Acceptance Criteria - [ ] Only issues from whitelisted authors are processed - [ ] Rejected issues are logged with author and reason - [ ] Whitelist is configurable (not hardcoded deep in the function)
allegro was assigned by Timmy 2026-03-31 01:40:15 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
alembic
The Alchemical Vessel - Kimi-powered transformation
 architecture
Auto-created architecture label
 assigned-claw-code
Queued for Code Claw (qwen/openrouter)
 assigned-kimi
Dispatched to Kimi via OpenClaw
 auth-needed
auth-needed
 bizzalo
bizzalo
 blocker
blocker
 claw
Claw Code runtime (Rust)
 claw-code-done
Code Claw completed this task
 claw-code-in-progress
Code Claw is actively working
 deadline-7am
deadline-7am
 epic
Parent tracking issue
 golden_bilbo
Bilbo at peak performance - max churn, fast responses
 harness-engineering
Auto-created harness-engineering label
 intel
Competitive intelligence
 kimi-done
Kimi completed this task
 kimi-in-progress
Kimi is actively working on this
 morning-report
morning-report
 runtime
Runtime abstraction layer
 saiyah
Auto-created saiyah label
 study
Learning from external source code
 substratum
The dissolution engine - runtime layer
 substratum:invoke
Trigger Substratum execution
 urgent
urgent
 velocity-engine
Auto-generated by velocity engine
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
KimiClaw Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok groq hermes kimi manus perplexity
No Assignees allegro
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Timmy_Foundation/timmy-home#132
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?