Add path validation and logging to template rendering JavaScript#16137
Add path validation and logging to template rendering JavaScript#16137
Conversation
- Created path_helpers.cjs with secure path validation functions - Updated render_template.cjs with path validation and detailed logging - Updated interpolate_prompt.cjs with path validation and logging - Updated substitute_placeholders.cjs with path validation and logging - Updated file_helpers.cjs to use safeJoin and add logging - Enhanced runtime_import.cjs with comprehensive logging - Added comprehensive tests for path_helpers module - Fixed test mocks to support new logging calls Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🧪 Smoke Temporary ID is now testing temporary ID functionality... |
|
🧪 Smoke Project is now testing project operations... |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
❌ Smoke Copilot SDK failed. Please review the logs for details. |
|
❌ Smoke Temporary ID encountered failures. Check the logs for details. |
|
❌ Smoke Project encountered failures. Check the logs for details. |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
@copilot fix compilation issue. Make sure the code is meant to run in actions/github-script See https://github.com/github/gh-aw/actions/runs/22069956599/job/63771664130#step:34:1 |
- Add typeof core !== "undefined" checks before using core methods - Prevents ReferenceError when core is not available globally - Follows pattern used in other modules like sanitize_content.cjs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in commit 29e4202. Added |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🧪 Smoke Project is now testing project operations... |
|
🧪 Smoke Temporary ID is now testing temporary ID functionality... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
❌ Smoke Copilot SDK failed. Please review the logs for details. |
|
❌ Smoke Temporary ID encountered failures. Check the logs for details. |
|
❌ Smoke Project encountered failures. Check the logs for details. |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
@copilot the global object are not setup in substitute step https://github.com/github/gh-aw/actions/runs/22069956599/job/63771664130#step:34:1 |
- Fixed substitute_placeholders.cjs to check for core availability - Fixed render_template.cjs to check for core availability - Fixed interpolate_prompt.cjs to check for core availability - Fixed file_helpers.cjs to check for core availability - Fixed runtime_import.cjs to check for core availability - All logging calls now wrapped with typeof core !== "undefined" - Ensures compatibility when core global is not yet initialized Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in commit 9280171. Added
All logging calls are now wrapped to ensure compatibility when |
|
@copilot revert previous commit and setup globals in the generate step code like all the other GitHub script steps |
Security Review: Template Rendering JavaScript Code
Analysis Complete ✅
Reviewed template rendering code in
actions/setup/js/for security issues related to file path handling.Security Issues Identified ✅
GH_AW_PROMPTenv var before fs operationsGH_AW_PROMPTenv var before fs operationsfileparameter before fs operationspath.join()without normalizing paths, potential directory traversalFixes Implemented ✅
path_helpers.cjswith comprehensive path validation helpers:validateAndNormalizePath()- Validates and normalizes file pathsvalidatePathWithinBase()- Ensures paths stay within base directoryvalidateDirectory()- Validates directory existence and typesafeJoin()- Safely joins and normalizes path segmentstypeof core !== "undefined"checks to ALL modified filesSecurity Features
Path Validation:
path.normalize()andpath.resolve()Logging:
coreis available)[moduleName]prefixestypeof core !== "undefined"checksTesting
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.