Skip to content

fix(enrichment): sanitize brief code spans#1535

Merged
JSONbored merged 3 commits into
mainfrom
codex/fix-unescaped-pr-paths-vulnerability
Jun 27, 2026
Merged

fix(enrichment): sanitize brief code spans#1535
JSONbored merged 3 commits into
mainfrom
codex/fix-unescaped-pr-paths-vulnerability

Conversation

@JSONbored

@JSONbored JSONbored commented Jun 26, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Close a Markdown/prompt-injection vector where unescaped PR file paths could break out of code spans in the EXTERNAL REVIEW BRIEF and inject arbitrary trusted content.

Description

  • Add a safeCodeSpan helper that replaces backticks and control characters before embedding values inside Markdown code spans and a small replacement map; implemented in review-enrichment/src/render.ts.
  • Use safeCodeSpan when rendering secret findings and unpinned-action findings so attacker-controlled file / action@ref strings cannot terminate code spans or introduce newlines/headers.
  • Add a regression test that constructs a malicious-looking file path (containing a backtick and newlines) and asserts the brief does not contain the forged heading while still citing the sanitized path.

Testing

  • Ran the enrichment package unit suite with cd review-enrichment && npm test; all tests passed (24 tests, 0 failures).
  • Ran git diff --check to ensure no whitespace/conflict markers (no issues reported).
  • Attempted npm audit --audit-level=moderate, but the registry returned 403 Forbidden so the audit step could not complete in this environment.

Codex Task

@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jun 26, 2026
@superagent-security

superagent-security Bot commented Jun 26, 2026

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored self-assigned this Jun 26, 2026
@JSONbored JSONbored added the gittensor:bug Gittensor-scored bug fix - worth 0.5x multiplier. label Jun 26, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 gittensory-ui 12d00c5 Commit Preview URL

Branch Preview URL		 Jun 26 2026, 09:12 PM

@gittensory-orb

gittensory-orb Bot commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review — safe to merge

2 files · 1 AI reviewers · no blockers · readiness 48/100 · CI green · blocked

✅ Approved — safe to merge

Signal Result Evidence
Code review ✅ No blockers 1 reviewers, synthesized
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ⚠️ 3 scoped overlaps Top overlaps are listed below; lower-confidence bulk is hidden.
Review load ❌ 8/20 Readiness component derived from cached public PR metadata and labels; size label size:S.
Validation evidence ❌ 5/25 Cached preflight status is hold.
Open PR queue ❌ 3/10 48 open PR(s), 9 likely reviewable, 39 unlinked.
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 81 PR(s), 261 issue(s).
Gate result ✅ Passing No configured blocker found.
Nits — 2 non-blocking
  • Repository config was not parsed
  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Official Gittensor activity: 81 PR(s), 261 issue(s).
  • Related work: Titles/paths share 6 meaningful terms. (PR #1537)
  • Related work: Titles/paths share 6 meaningful terms. (PR #1542)
  • Related work: Titles/paths share 6 meaningful terms. (PR #1545)
  • Additional title-only matches omitted; title-only overlap does not block.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Review top overlaps.
  • Add scope summary.
  • Fix blocker.
  • Expect slower review.
  • Refresh registry data or choose a registered active repo.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
  • Open PR queue = repo-wide review pressure; it is not a PR quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the gittensor Gittensor contributor context label Jun 27, 2026
This was referenced Jun 27, 2026
Open
Open
Open
Open
Open
Merged
@JSONbored JSONbored merged commit 6ffc2d0 into main Jun 27, 2026
15 checks passed
@JSONbored JSONbored deleted the codex/fix-unescaped-pr-paths-vulnerability branch June 27, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JSONbored JSONbored

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix - worth 0.5x multiplier. gittensor Gittensor contributor context size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JSONbored