Strip OIDC token request env vars from Claude session environment#1029
Open
MaxwellCalkin wants to merge 1 commit intoanthropics:mainfrom
Open
Strip OIDC token request env vars from Claude session environment#1029MaxwellCalkin wants to merge 1 commit intoanthropics:mainfrom
MaxwellCalkin wants to merge 1 commit intoanthropics:mainfrom
Conversation
The Claude session inherits the full process.env, which includes ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN, and ACTIONS_RUNTIME_TOKEN when the workflow has `id-token: write` permission. This allows the Claude session to call GitHub's OIDC token endpoint and mint arbitrary tokens, escalating privileges beyond what was intended. These variables are only needed by the action itself (in token.ts for initial authentication) and should never be passed to the Claude SDK session. Fixes anthropics#1010
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1010
The Claude session environment is built by spreading
process.envinparseSdkOptions()(base-action/src/parse-sdk-options.ts). When the workflow hasid-token: writepermission, this includes:ACTIONS_ID_TOKEN_REQUEST_URL— the GitHub OIDC token endpointACTIONS_ID_TOKEN_REQUEST_TOKEN— the bearer token to call that endpointACTIONS_RUNTIME_TOKEN— the Actions runtime authentication tokenThese variables allow the Claude session to mint arbitrary OIDC tokens, which can be exchanged for credentials to cloud providers (AWS, GCP, Azure) configured to trust the repository's OIDC identity. This is a privilege escalation — the
id-token: writepermission is intended for the action's own authentication (insrc/github/token.ts), not for the Claude session.Changes
base-action/src/parse-sdk-options.ts: DeleteACTIONS_ID_TOKEN_REQUEST_URL,ACTIONS_ID_TOKEN_REQUEST_TOKEN, andACTIONS_RUNTIME_TOKENfrom the env object after spreadingprocess.env, before passing it to the SDK.base-action/test/parse-sdk-options.test.ts: Add test verifying these variables are stripped fromsdkOptions.env.Test plan
sdkOptions.enveven when set inprocess.envtoken.tsreads fromprocess.envdirectly, beforeparseSdkOptions()is called