Don't allow someone with commits in a PR to approve

We have our repo set up so all PRs must be approved by another engineer before they can be merged to main/master. You can not approve a PR that you have created. We rely on this to stop a single engineer getting code into production without someone else checking it.

But there is a (possible) security hole. A bad actor (eg disgruntled employee) could find a PR that is already open, revert the original changes, commit malicious code, then approve it and merge it.

Is there any way to stop someone from approving a PR if they have any commits in that PR?

Thanks

The issue is, the malicious person can commit code as someone else. You can try this yourself by changing your user.name and user.email config settings and making a commit. If they did this, any special mechanism you had setup to check for authors/committers would be foiled.

In theory if you had everyone GPG sign their commits and somehow checked for this too, it wouldn’t be an issue, but most people don’t GPG sign commits.


What I’d suggest is requiring approval from 2 seperate people with write+ access to the repository if you have enough people to enforce this.

2 Likes

Thanks for your reply! That’s interesting. I hadn’t considered that github has no way to verify whether the listed committer was actually the committer without people signing commits.

I wonder if you could say a user who has pushed to the PR can’t approve it. Surely Github knows who has pushed to a branch (you need to auth for that)