fix(miner): sanitize discover summary titles#4485
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
gittensory-ui | 6628ae8 | Commit Preview URL Branch Preview URL |
Jul 10 2026, 07:01 AM |
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4485 +/- ##
=======================================
Coverage 94.12% 94.12%
=======================================
Files 430 430
Lines 38181 38181
Branches 13922 13922
=======================================
Hits 35939 35939
Misses 1585 1585
Partials 657 657 🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-10 07:17:35 UTC
⏸️ Suggested Action - Manual Review
Review summary Nits — 4 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Motivation
discoversummary interpolated raw GitHub issue titles into terminal output, allowing attacker-controlled ANSI/OSC/control/bidi sequences and newlines to manipulate terminal display; the renderer must sanitize titles before printing.Description
sanitizeDiscoverDisplayTexttopackages/gittensory-miner/lib/discover-cli.jsto strip OSC/ANSI escape sequences, C0/C1 control characters, and bidi controls, collapse whitespace, trim, and bound displayed titles to 240 characters.renderDiscoverSummarywhen rendering top-candidates so the default human-readable output is safe while leaving JSON output unchanged.packages/gittensory-miner/lib/discover-cli.d.tsfor typed consumers.test/unit/miner-discover-cli.test.tsthat verify stripping of terminal control sequences, bounding of display length, and nullish handling.Testing
npm run build:minerandnpx vitest run test/unit/miner-discover-cli.test.ts, and the unit test suite for the updated file passed (all tests green).npm run typecheckandnpm run command-reference:check, both completed successfully with no type or command-reference errors.npm run test:ciandnpm audit --audit-level=moderate, but the fulltest:cirun was blocked/impeded by environment/network-dependent setup (actionlint fallback and a pre-existingcf-typegendrift) and the registry audit endpoint returned403, so those checks could not be completed in this environment.Codex Task