fix(guard): pre-emptive write classification for set_variable, upload_release_asset, sync_fork (#2613)

lpcox · web-flow · commit d6573c002fbc · 2026-03-26T16:10:20.000-07:00
Three CLI-reachable write operations lacked pre-emptive entries in `WRITE_OPERATIONS`, meaning future MCP tools with these names would bypass DIFC enforcement entirely. ## Changes - **`guards/github-guard/rust-guard/src/tools.rs`**: Added three pre-emptive entries to `WRITE_OPERATIONS`: ```rust // Pre-emptive entries for anticipated future MCP tools (no equivalent tool today) "set_variable", // gh variable set "upload_release_asset", // gh release upload "sync_fork", // gh repo sync ``` | Entry | CLI Command | REST Endpoint | Risk | |---|---|---|---| | `set_variable` | `gh variable set` | `PUT/PATCH .../actions/variables/{name}` | High — Actions variables can leak CI/CD secrets | | `upload_release_asset` | `gh release upload` | `POST .../releases/{id}/assets` | Medium — distributes binaries through trusted release channel | | `sync_fork` | `gh repo sync` | `POST .../merge-upstream` | Medium — merges upstream commits into fork, can introduce malicious code | `set_variable` has no covering prefix pattern (only `set_secret` was explicit); `upload_*` and `sync_*` prefixes are also unmatched. Follows the same pre-emptive coverage pattern already used for `archive_repository`, `transfer_issue`, `set_secret`, etc. > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build2415009168/b334/launcher.test /tmp/go-build2415009168/b334/launcher.test -test.testlogfile=/tmp/go-build2415009168/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2415009168/b324/vet.cfg _.a` (dns block) > - Triggering command: `/tmp/go-build2892966726/b330/launcher.test /tmp/go-build2892966726/b330/launcher.test -test.testlogfile=/tmp/go-build2892966726/b330/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ef01871ee25e4f66` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2415009168/b319/config.test /tmp/go-build2415009168/b319/config.test -test.testlogfile=/tmp/go-build2415009168/b319/testlog.txt -test.paniconexit0 -test.timeout=10m0s conf�� ternal/engine/wazevo/ssa/basic_block.go ternal/engine/wazevo/ssa/basic_block_sort.go x_amd64/compile` (dns block) > - Triggering command: `/tmp/go-build2892966726/b315/config.test /tmp/go-build2892966726/b315/config.test -test.testlogfile=/tmp/go-build2892966726/b315/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build2415009168/b334/launcher.test /tmp/go-build2415009168/b334/launcher.test -test.testlogfile=/tmp/go-build2415009168/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2415009168/b324/vet.cfg _.a` (dns block) > - Triggering command: `/tmp/go-build2892966726/b330/launcher.test /tmp/go-build2892966726/b330/launcher.test -test.testlogfile=/tmp/go-build2892966726/b330/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ef01871ee25e4f66` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build2415009168/b334/launcher.test /tmp/go-build2415009168/b334/launcher.test -test.testlogfile=/tmp/go-build2415009168/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2415009168/b324/vet.cfg _.a` (dns block) > - Triggering command: `/tmp/go-build2892966726/b330/launcher.test /tmp/go-build2892966726/b330/launcher.test -test.testlogfile=/tmp/go-build2892966726/b330/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ef01871ee25e4f66` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2415009168/b343/mcp.test /tmp/go-build2415009168/b343/mcp.test -test.testlogfile=/tmp/go-build2415009168/b343/testlog.txt -test.paniconexit0 -test.timeout=10m0s o_.o�� oding@v0.5.4/iso-s oding@v0.5.4/iso-w x_amd64/vet -p github.com/tetra/usr/bin/runc -lang=go1.24 x_amd64/vet -o _.a 15223903/b151//_cgo_.o x_amd64/vet -p go-sdk/internal/-o 223903/b151/ x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build2892966726/b339/mcp.test /tmp/go-build2892966726/b339/mcp.test -test.testlogfile=/tmp/go-build2892966726/b339/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true by/c6c498e7f1b1ddelete -tests ntime.v2.task/moby/123dce643a3c2json /go-build core.hooksPath x_amd64/vet 38a/log.json 2be0�� ry=1 y k/gh-aw-mcpg/gh-aw-mcpg/awmg by/80d05f23733c6docker rg x_amd64/vet k/gh-aw-mcpg/gh-aw-mcpg/awmg` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>  --- 💬 Send tasks to Copilot coding agent from [Slack](https://gh.io/cca-slack-docs) and [Teams](https://gh.io/cca-teams-docs) to turn conversations into code. Copilot posts an update in your thread when it's finished.
diff --git a/guards/github-guard/rust-guard/src/tools.rs b/guards/github-guard/rust-guard/src/tools.rs
@@ -43,6 +43,9 @@ pub const WRITE_OPERATIONS: &[&str] = &[
     "enable_workflow",    // gh workflow enable
     "disable_workflow",   // gh workflow disable
     "set_secret",         // gh secret set
+    "set_variable",         // gh variable set
+    "upload_release_asset", // gh release upload
+    "sync_fork",            // gh repo sync
 ];
 
 /// Read-write operations that both read and modify data
