fix(enrichment): harden install-script package rendering

[JSONbored]

Motivation

• The install-script analyzer accepted arbitrary package keys and built a registry URL without fully validating or encoding the name, and then rendered the original key verbatim into the external review brief, which allowed prompt-injection via characters like # or backticks.

Description

• Add npm package-name and semver validation using NPM_PACKAGE_RE and SEMVER_RE and skip changes that do not validate to avoid fetching/recording attacker-controlled keys (file: review-enrichment/src/analyzers/install-scripts.ts).
• Encode the full package name with encodeURIComponent when fetching the registry packument so fragments and query delimiters cannot alias a different package (file: review-enrichment/src/analyzers/install-scripts.ts).
• Add a promptText helper that escapes control and Markdown characters and apply it to rendered brief fields so findings are safe to include in the EXTERNAL REVIEW BRIEF (file: review-enrichment/src/render.ts).
• Add regression unit tests that cover malicious package keys, scoped package URL encoding, invalid/unsupported versions, and escaping of install-script brief output (file: review-enrichment/test/enrichment.test.ts).

Testing

• Ran the TypeScript build with npm --prefix review-enrichment run build and it completed successfully.
• Ran the package's unit tests with npm --prefix review-enrichment test and all tests passed (31 passed, 0 failed).
• Attempted the full local CI via npm run test:ci, but the run could not complete due to external/setup issues: actionlint network setup retried and a repository migration-number conflict (duplicate 0074) stopped the CI job (automated failure unrelated to these code changes).
• Ran npm audit --audit-level=moderate, which failed due to the npm audit endpoint returning 403 Forbidden, blocking the dependency-audit step (automated failure external to the patch).

---

Codex Task

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[gittensory-orb]

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review — safe to merge

3 files · 1 AI reviewers · no blockers · readiness 48/100 · CI green · unknown

✅ Approved — safe to merge

Review summary
This PR closes a prompt-injection path in the install-script enrichment path by (1) gating every registry fetch behind an allowlist regex for npm package names and a strict semver regex, so attacker-controlled keys never reach the network; (2) replacing the narrow single-slash percent-encoding with encodeURIComponent so fragment and query delimiters in any surviving name cannot alias a different registry endpoint; and (3) adding promptText in render.ts to strip control characters and escape Markdown metacharacters before the install-script block is spliced into the EXTERNAL REVIEW BRIEF. The validation, encoding, and escaping are each individually correct, and the tests exercise the injection payloads, the URL-encoding expectation for scoped packages, and the escape round-trip directly.

Nits (5)

• Other renderBrief sections in render.ts — dependency, secret, license, actionPin, eol — render potentially user-controlled strings (package names from PR diffs, file paths, CVE summaries from OSV.dev) verbatim without promptText; if those analyzers do not validate upstream they share the same injection surface this PR fixes.
• dep.publishedAt.slice(0, 10) is interpolated into the same output line without promptText (render.ts ~line 78); low-risk in practice because npm registry dates are ISO strings, but inconsistent with the surrounding defense-in-depth applied to package, version, and hooks in the same loop.
• The updated test regex /`evil@​1\\.0\\.0`.../ uses . (any-char wildcard) immediately after each escaped backslash rather than \\. (literal dot), so it would also accept '1\X0\Y0'; harmless here but slightly imprecise for a test whose purpose is to confirm that dots get escaped.
• Apply promptText to cve.summary (and dep.package / dep.to) in the dependency block of render.ts — CVE summaries are external OSV.dev data and could contain Markdown that alters how the LLM interprets the brief.
• Extract NPM_PACKAGE_RE to a shared validation utility so future npm-touching analyzers don't duplicate the pattern and accidentally diverge on the allowed character set.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewers, synthesized
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:S.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	26 open PR(s), 9 likely reviewable, 17 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 81 PR(s), 297 issue(s).
Gate result	✅ Passing	No configured blocker found.

Nits — 2 non-blocking

• Repository config was not parsed
• No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 81 PR(s), 297 issue(s).
• Related work: Titles/paths share 6 meaningful terms. (PR #1537)
• Related work: Titles/paths share 6 meaningful terms. (PR #1546)
• Related work: Titles/paths share 6 meaningful terms. (PR #1554)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Explain no-issue PR.
• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

Review details

Generated from public PR metadata and the diff. Advisory only; deterministic signals remain authoritative.

This PR closes a prompt-injection path in the install-script enrichment path by (1) gating every registry fetch behind an allowlist regex for npm package names and a strict semver regex, so attacker-controlled keys never reach the network; (2) replacing the narrow single-slash percent-encoding with encodeURIComponent so fragment and query delimiters in any surviving name cannot alias a different registry endpoint; and (3) adding promptText in render.ts to strip control characters and escape Markdown metacharacters before the install-script block is spliced into the EXTERNAL REVIEW BRIEF. The validation, encoding, and escaping are each individually correct, and the tests exercise the injection payloads, the URL-encoding expectation for scoped packages, and the escape round-trip directly.

Nits (5)

• Other renderBrief sections in render.ts — dependency, secret, license, actionPin, eol — render potentially user-controlled strings (package names from PR diffs, file paths, CVE summaries from OSV.dev) verbatim without promptText; if those analyzers do not validate upstream they share the same injection surface this PR fixes.
• dep.publishedAt.slice(0, 10) is interpolated into the same output line without promptText (render.ts ~line 78); low-risk in practice because npm registry dates are ISO strings, but inconsistent with the surrounding defense-in-depth applied to package, version, and hooks in the same loop.
• The updated test regex /`evil@​1\\.0\\.0`.../ uses . (any-char wildcard) immediately after each escaped backslash rather than \\. (literal dot), so it would also accept '1\X0\Y0'; harmless here but slightly imprecise for a test whose purpose is to confirm that dots get escaped.
• Apply promptText to cve.summary (and dep.package / dep.to) in the dependency block of render.ts — CVE summaries are external OSV.dev data and could contain Markdown that alters how the LLM interprets the brief.
• Extract NPM_PACKAGE_RE to a shared validation utility so future npm-touching analyzers don't duplicate the pattern and accidentally diverge on the allowed character set.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review