What happened?
verifyPrAction in src/app/actions/mentor.ts (line 10) is the action that marks a PR as mentor verified and pays out review XP. It checks mentor.level < 2 globally (line 32), but it never checks whether the caller actually maintains the repo the target PR belongs to, the way every action in maintainer.ts scopes through listMaintainerRepos or assertMaintainerInstall. There is also no rateLimit() call anywhere in this file.
So any contributor who has reached level 2 can call verifyPrAction against a PR in a repo they have no relationship to at all, and repeat it across as many PRs as they want with no throttle, collecting HELP_REVIEW_BASE plus the mentor bonus XP each time.
Steps to Reproduce
- Reach level 2 as any user
- Call
verifyPrAction with the id of a PR from a repo you don't maintain
- The PR gets marked
mentor_verified and you receive XP, with no check that you had any business reviewing that PR
Expected Behavior
verifyPrAction should confirm the caller maintains the repo the PR belongs to before marking it verified, and should be rate limited like every other XP awarding action in the codebase.
Where does this occur?
API (mentor verification)
Additional Context
This is the same class of gap already fixed in maintainer.ts for the repo picker and queue actions, just never applied here. Probably the easiest fix is reusing listMaintainerRepos against pr.repo_full_name.
What happened?
verifyPrActioninsrc/app/actions/mentor.ts(line 10) is the action that marks a PR as mentor verified and pays out review XP. It checksmentor.level < 2globally (line 32), but it never checks whether the caller actually maintains the repo the target PR belongs to, the way every action inmaintainer.tsscopes throughlistMaintainerReposorassertMaintainerInstall. There is also norateLimit()call anywhere in this file.So any contributor who has reached level 2 can call
verifyPrActionagainst a PR in a repo they have no relationship to at all, and repeat it across as many PRs as they want with no throttle, collectingHELP_REVIEW_BASEplus the mentor bonus XP each time.Steps to Reproduce
verifyPrActionwith the id of a PR from a repo you don't maintainmentor_verifiedand you receive XP, with no check that you had any business reviewing that PRExpected Behavior
verifyPrActionshould confirm the caller maintains the repo the PR belongs to before marking it verified, and should be rate limited like every other XP awarding action in the codebase.Where does this occur?
API (mentor verification)
Additional Context
This is the same class of gap already fixed in
maintainer.tsfor the repo picker and queue actions, just never applied here. Probably the easiest fix is reusinglistMaintainerReposagainstpr.repo_full_name.