Patchly: ## Vulnerability

[github-actions]

Vulnerability

• File: src/patchly/agent.py (function _load_web_context, approximate lines 91–120)
• Type: Server‑Side Request Forgery (SSRF)
• Severity: high
• Description: The agent extracts URLs from issue/comment bodies (which are user‑controlled) and fetches them using fetch_safe(). Without proper validation, an attacker can make the tool send requests to arbitrary internal or external hosts, potentially accessing cloud metadata endpoints, internal services, or exfiltrating data.
• Fix: Validate fetched URLs against an allowlist (e.g., only github.com or raw.githubusercontent.com). Block private IP ranges (RFC 1918). Disable automatic fetching of URLs by default, or require explicit user approval.

---

Vulnerability

• File: src/patchly/actions/auto_fix.py (lines 15–36, especially get_file_content(file_path) and httpx.put(…/contents/{file_path}))
• Type: Insecure Direct Object Reference (IDOR) / Privilege Escalation
• Severity: high
• Description: The file_path parameter is directly used in GitHub API calls without validating whether the file should be modifiable by the current context. An attacker who can influence the analysis (e.g., by crafting an issue description or review comment) can cause the tool to read, modify, or commit arbitrary files in the repository, including sensitive configuration or workflow files.
• Fix: Restrict file operations to files that were part of the triggering event (e.g., files in the PR diff). Validate that the resolved path does not contain .. or start with /, and belongs to the repository root. For modifications, require a scope check against the event payload.

---

Vulnerability

• File: src/patchly/actions/auto_fix.py (lines 19–24), src/patchly/actions/pr_review.py (lines 14–20)
• Type: Prompt Injection / Missing Input Validation
• Severity: high
• Description: User‑supplied content (issue descriptions, file diffs, file paths) is directly interpolated into LLM prompts without sanitization. An attacker can craft input that overrides the system prompt, causing the LLM to generate malicious code, leak secrets, or perform unintended actions (e.g., commit arbitrary file content). This is especially dangerous because the LLM output is used to create PRs and comments.
• Fix: Separate user input from instructions (e.g., use delimiters or structured formats). Validate and sanitize user input before including it in prompts. Use a strict system prompt and constrain the output format. Consider restricting the allowed modifications to the LLM’s role (e.g., only generate a fix for a specific issue, never allow writing arbitrary content).

---

Vulnerability

• File: src/patchly/config.py (lines 13–14)
• Type: Path Traversal
• Severity: medium
• Description: PATCHLY_DIR and WORKSPACE are derived from environment variables without sanitization. If an attacker can set these (e.g., via GitHub Actions environment injection), the tool could write reports or temporary files outside the intended workspace, potentially overwriting system files or leaking data.
• Fix: Resolve paths with os.path.realpath() and verify that they start with an expected base directory. Prevent the use of .. or absolute paths. Lock PATCHLY_DIR to a relative path under WORKSPACE.

---

Vulnerability

• File: src/patchly/actions/comment.py (line 6), src/patchly/actions/issue_report.py (lines 15–16)
• Type: Stored Cross‑Site Scripting (XSS)
• Severity: medium
• Description: The LLM‑generated content (reviews, issue titles/bodies) is posted directly to GitHub issues/comments without sanitization. If the content includes HTML or JavaScript, it could execute in the browser of anyone viewing the issue/comment. Although GitHub has its own sanitization, the risk remains for older clients or if the API is called with raw HTML.
• Fix: Apply HTML‑escaping and markdown‑only formatting to all user‑facing content. Remove script tags and event handlers before posting. Consider using only plaintext when possible.

---

Vulnerability

• File: src/patchly/actions/auto_fix.py (lines 19–24), src/patchly/actions/pr_review.py (lines 14–20)
• Type: Information Disclosure (Secret Leakage via LLM)
• Severity: medium
• Description: Full file contents (up to 8000 characters) and diffs (up to 30 000 characters) are sent to an external LLM provider. If these contain secrets (e.g., API keys, passwords, tokens), they will be transmitted to and potentially stored by the third‑party LLM service.
• Fix: Scan file contents/diffs for patterns that match common secret formats (e.g., API_KEY=…, password=…) and redact them before sending. Use a local LLM (e.g., Ollama) to avoid data leaving the environment. Warn users about this risk in documentation.

---

Vulnerability

• File: src/patchly/config.py (line 27, api_key: str = "public")
• Type: Hardcoded Default Credential
• Severity: low
• Description: The default API key is set to the string "public". If left unchanged in production, an attacker could use this key to access the LLM service, potentially incurring costs or abusing the API.
• Fix: Remove the default key and enforce that a real (non‑placeholder) key must be provided via environment variable or configuration file. Validate that the key is not the default before sending requests.

---

Vulnerability

• File: src/patchly/actions/auto_fix.py (multiple httpx calls, e.g., lines 24, 38, 46)
• Type: Missing SSL/TLS Certificate Verification (potential)
• Severity: low
• Description: The code does not explicitly set verify=True on httpx requests. If the environment is configured to use a custom base URL (e.g., via config.api_base), the connection might be downgraded to HTTP or allow self‑signed certificates, enabling man‑in‑the‑middle attacks.
• Fix: Always pass verify=True (default) and do not allow insecure transport. For API requests, enforce HTTPS and pin certificates if possible. Set explicit timeouts for all requests.

---

Vulnerability

• File: src/patchly/__main__.py (line 11)
• Type: Insufficient Input Validation
• Severity: low
• Description: The --mode= argument is parsed without validation. While currently only used in an if-elif chain, if a future mode executes external commands (e.g., command mode), this could become an injection vector.
• Fix: Validate the mode against a list of allowed values (e.g., if mode not in {"review","scan","fix",…}: raise ValueError()). Reject unknown modes early.

---

Note: Several files (agent.py, config.py, context.py) are truncated in the provided source. The analysis above covers the visible code. Additional vulnerabilities may exist in the missing portions (e.g., command execution in _run_command, file writing in _write_report). A full review of the complete codebase is recommended.

Risk: high

## Vulnerability
- **File**: `src/patchly/agent.py` (function `_load_web_context`, approximate lines 91–120)
- **Type**: Server‑Side Request Forgery (SSRF)
- **Severity**: **high**
- **Description**: The agent extracts URLs from issue/comment bodies (which are user‑controlled) and fetches them using `fetch_safe()`. Without proper validation, an attacker can make the tool send requests to arbitrary internal or external hosts, potentially accessing cloud metadata endpoints, internal services, or exfiltrating data.
- **Fix**: Validate fetched URLs against an allowlist (e.g., only `github.com` or `raw.githubusercontent.com`). Block private IP ranges (RFC 1918). Disable automatic fetching of URLs by default, or require explicit user approval.

---

## Vulnerability
- **File**: `src/patchly/actions/auto_fix.py` (lines 15–36, especially `get_file_content(file_path)` and `httpx.put(…/contents/{file_path})`)
- **Type**: Insecure Direct Object Reference (IDOR) / Privilege Escalation
- **Severity**: **high**
- **Description**: The `file_path` parameter is directly used in GitHub API calls without validating whether the file should be modifiable by the current context. An attacker who can influence the analysis (e.g., by crafting an issue description or review comment) can cause the tool to read, modify, or commit arbitrary files in the repository, including sensitive configuration or workflow files.
- **Fix**: Restrict file operations to files that were part of the triggering event (e.g., files in the PR diff). Validate that the resolved path does not contain `..` or start with `/`, and belongs to the repository root. For modifications, require a scope check against the event payload.

---

## Vulnerability
- **File**: `src/patchly/actions/auto_fix.py` (lines 19–24), `src/patchly/actions/pr_review.py` (lines 14–20)
- **Type**: Prompt Injection / Missing Input Validation
- **Severity**: **high**
- **Description**: User‑supplied content (issue descriptions, file diffs, file paths) is directly interpolated into LLM prompts without sanitization. An attacker can craft input that overrides the system prompt, causing the LLM to generate malicious code, leak secrets, or perform unintended actions (e.g., commit arbitrary file content). This is especially dangerous because the LLM output is used to create PRs and comments.
- **Fix**: Separate user input from instructions (e.g., use delimiters or structured formats). Validate and sanitize user input before including it in prompts. Use a strict system prompt and constrain the output format. Consider restricting the allowed modifications to the LLM’s role (e.g., only generate a fix for a specific issue, never allow writing arbitrary content).

---

## Vulnerability
- **File**: `src/patchly/config.py` (lines 13–14)
- **Type**: Path Traversal
- **Severity**: **medium**
- **Description**: `PATCHLY_DIR` and `WORKSPACE` are derived from environment variables without sanitization. If an attacker can set these (e.g., via GitHub Actions environment injection), the tool could write reports or temporary files outside the intended workspace, potentially overwriting system files or leaking data.
- **Fix**: Resolve paths with `os.path.realpath()` and verify that they start with an expected base directory. Prevent the use of `..` or absolute paths. Lock `PATCHLY_DIR` to a relative path under `WORKSPACE`.

---

## Vulnerability
- **File**: `src/patchly/actions/comment.py` (line 6), `src/patchly/actions/issue_report.py` (lines 15–16)
- **Type**: Stored Cross‑Site Scripting (XSS)
- **Severity**: **medium**
- **Description**: The LLM‑generated content (reviews, issue titles/bodies) is posted directly to GitHub issues/comments without sanitization. If the content includes HTML or JavaScript, it could execute in the browser of anyone viewing the issue/comment. Although GitHub has its own sanitization, the risk remains for older clients or if the API is called with raw HTML.
- **Fix**: Apply HTML‑escaping and markdown‑only formatting to all user‑facing content. Remove script tags and event handlers before posting. Consider using only plaintext when possible.

---

## Vulnerability
- **File**: `src/patchly/actions/auto_fix.py` (lines 19–24), `src/patchly/actions/pr_review.py` (lines 14–20)
- **Type**: Information Disclosure (Secret Leakage via LLM)
- **Severity**: **medium**
- **Description**: Full file contents (up to 8000 characters) and diffs (up to 30 000 characters) are sent to an external LLM provider. If these contain secrets (e.g., API keys, passwords, tokens), they will be transmitted to and potentially stored by the third‑party LLM service.
- **Fix**: Scan file contents/diffs for patterns that match common secret formats (e.g., `API_KEY=…`, `password=…`) and redact them before sending. Use a local LLM (e.g., Ollama) to avoid data leaving the environment. Warn users about this risk in documentation.

---

## Vulnerability
- **File**: `src/patchly/config.py` (line 27, `api_key: str = "public"`)

[github-actions]

Batch fix PR: #56

This fix was included in a batch PR along with other changes.