fix: Issue 33050 claude workflow security (#420)

sfreudenthaler · claude · web-flow · commit 19a08fded2a9 · 2025-09-26T22:29:21.000-04:00
fixes false negative for private members

---------

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/.github/actions/security/org-membership-check/README.md b/.github/actions/security/org-membership-check/README.md
@@ -37,7 +37,20 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
 
 ## Implementation Details
 
-The action uses the GitHub CLI (`gh`) with the repository's `GITHUB_TOKEN` to check organization membership. It first attempts to check public membership, and if that fails, it attempts to check private membership (which requires appropriate permissions in organization repositories).
+The action uses the GitHub CLI (`gh`) with the repository's `GITHUB_TOKEN` to check organization membership via the GitHub API endpoint `GET /orgs/dotCMS/members/{username}`.
+
+**Key Design Decision: Status Code vs Response Body**
+
+The action relies on HTTP status codes rather than parsing response content because:
+
+- **HTTP 200 (Success)**: User is a member of the organization
+  - Public members: API returns user object with populated fields
+  - Private members: API returns empty response body (but still 200 OK)
+
+- **HTTP 404 (Not Found)**: User is not a member of the organization
+  - Returns error object with "Not Found" message
+
+This approach correctly authorizes all organization members (including owners with private membership) without needing to handle different response formats or visibility settings.
 
 ## Security Considerations
 
diff --git a/.github/actions/security/org-membership-check/action.yml b/.github/actions/security/org-membership-check/action.yml
@@ -28,34 +28,39 @@ runs:
 
         set +e  # Don't exit on error, we want to handle it gracefully
 
-        # Check public membership first
-        gh api orgs/dotCMS/members/${{ inputs.username }} \
-          --jq '.login' 2>/dev/null
+        # Check organization membership using GitHub API
+        #
+        # IMPORTANT: We check the HTTP status code (via exit code) rather than parsing
+        # the response body because GitHub's membership API has specific behavior:
+        #
+        # HTTP 200 (exit code 0) = User IS a member (regardless of response content)
+        #   - Public member: Returns user object with populated fields
+        #   - Private member: Returns empty response body (but still 200 OK)
+        #
+        # HTTP 404 (exit code 1) = User is NOT a member
+        #   - Returns {"message":"Not Found",...} error response
+        #
+        # This approach correctly handles both public and private organization members
+        # without needing to distinguish between their visibility settings.
 
-        exit_code=$?
+        response=$(gh api orgs/dotCMS/members/${{ inputs.username }} 2>/dev/null)
+        api_exit_code=$?
 
-        if [ $exit_code -eq 0 ]; then
-          echo "✅ User ${{ inputs.username }} is a member of dotCMS"
+        if [ $api_exit_code -eq 0 ]; then
+          # HTTP 200: User is a member (public or private)
+          # We check response content only for logging clarity, not authorization logic
+          if [ -n "$response" ]; then
+            echo "✅ User ${{ inputs.username }} is a member of dotCMS (public membership)"
+          else
+            echo "✅ User ${{ inputs.username }} is a member of dotCMS (private membership)"
+          fi
           echo "is_member=true" >> $GITHUB_OUTPUT
           echo "membership_status=member" >> $GITHUB_OUTPUT
         else
-          # If public membership check fails, try to check private membership
-          # This requires higher permissions but will work in organization repos
-          gh api orgs/dotCMS/members/${{ inputs.username }} \
-            --method GET \
-            --header "Accept: application/vnd.github.v3+json" 2>/dev/null
-
-          private_exit_code=$?
-
-          if [ $private_exit_code -eq 0 ]; then
-            echo "✅ User ${{ inputs.username }} is a member of dotCMS"
-            echo "is_member=true" >> $GITHUB_OUTPUT
-            echo "membership_status=member" >> $GITHUB_OUTPUT
-          else
-            echo "❌ User ${{ inputs.username }} is not a member of dotCMS"
-            echo "is_member=false" >> $GITHUB_OUTPUT
-            echo "membership_status=non-member" >> $GITHUB_OUTPUT
-          fi
+          # HTTP 404 or other error: User is not a member
+          echo "❌ User ${{ inputs.username }} is not a member of dotCMS (API exit code: $api_exit_code)"
+          echo "is_member=false" >> $GITHUB_OUTPUT
+          echo "membership_status=non-member" >> $GITHUB_OUTPUT
         fi
 
         # Log the result for debugging (without leaking membership details)
