Skip to content

fix(review): canonicalize calibration login lookup#5206

Merged
JSONbored merged 1 commit into
mainfrom
codex/fix-login-casing-vulnerability
Jul 12, 2026
Merged

fix(review): canonicalize calibration login lookup#5206
JSONbored merged 1 commit into
mainfrom
codex/fix-login-casing-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent leakage and bypass of a private contributor calibration signal caused by case-sensitive ledger lookups that could be inferred by calling with login casing variants.

Description

  • Canonicalize the requested GitHub login in computeContributorCalibration by trimming and lower-casing the input and querying with WHERE lower(login) = ? so all case variants map to the same ledger history (src/review/predicted-gate-calibration-ledger.ts).
  • Add a regression test that seeds mixed-case ledger rows and verifies mixed-case caller inputs resolve to the same aggregate calibration signal (test/unit/predicted-gate-calibration-ledger.test.ts).
  • Regenerate Cloudflare worker runtime types after the local cf-typegen drift check reported stale output (worker-configuration.d.ts).

Testing

  • Ran npx vitest run test/unit/predicted-gate-calibration-ledger.test.ts, which passed (24 tests).
  • Ran npm run cf-typegen:check and regenerated worker-configuration.d.ts, and the cf-typegen check passed after regeneration.
  • Ran npm run typecheck, which failed due to unrelated existing type errors elsewhere in the tree (not introduced by this change), preventing a full npm run test:ci green run in this environment.
  • Note: npm audit --audit-level=moderate returned a registry error (403) in this environment and did not complete.

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.34%. Comparing base (b81e00c) to head (7063d30).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5206   +/-   ##
=======================================
  Coverage   94.34%   94.34%           
=======================================
  Files         473      473           
  Lines       39973    39974    +1     
  Branches    14573    14573           
=======================================
+ Hits        37712    37713    +1     
  Misses       1585     1585           
  Partials      676      676           
Flag Coverage Δ
shard-1 46.34% <100.00%> (-0.13%) ⬇️
shard-2 34.41% <0.00%> (-0.14%) ⬇️
shard-3 30.80% <100.00%> (-0.15%) ⬇️
shard-4 33.29% <100.00%> (-0.02%) ⬇️
shard-5 33.52% <0.00%> (-0.17%) ⬇️
shard-6 45.17% <100.00%> (+0.30%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/review/predicted-gate-calibration-ledger.ts 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@loopover-orb

loopover-orb Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 09:52:15 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
The core fix is correct and narrowly scoped: computeContributorCalibration now trims and lower-cases the caller-supplied login and matches ledger rows with `lower(login) = ?`, so `OctoCat`/`octocat`/`OCTOCAT` all resolve to the same aggregate calibration signal instead of being split (or selectively queried) by casing. The new test seeds three case variants plus a distinct login and asserts the aggregate lands on the expected {sampleSize: 3, agreementRate: 1/3}, which is a real regression test for the fixed behavior, not a fabricated scenario. worker-configuration.d.ts is a routine `wrangler types` regeneration and is not hand-authored logic.

Blockers

  • The PR description does not link or reference an open issue for this fix; per this repo's contribution policy, external PRs must close or clearly link an eligible open issue before being treated as merge-ready.
  • PR metadata: you need to close or clearly link the eligible open issue that authorized this calibration lookup fix; add a `Closes #NNNN` / `Fixes #NNNN` line or explain the maintainer-authorized issue before this can be treated as merge-ready.
Nits — 5 non-blocking
  • predicted-gate-calibration-ledger.ts: `WHERE lower(login) = ?` prevents any index on `login` from being used for this query; if the ledger grows large, consider a generated/functional index on `lower(login)` or storing a pre-normalized `login_lower` column.
  • The write path in `recordPredictedGateCalibration` still stores/dedupes on the trimmed-but-not-lowercased `login` (e.g. in the `calibration:${login}:...` id and the `predicted_gate_calls` lookup), so case-variant callers can still create separate ledger rows on write even though reads now unify them — worth a follow-up for full consistency, though out of scope for this specific read-side fix.
  • worker-configuration.d.ts changes are unreviewable generated output; fine to trust given the stated `cf-typegen:check` regeneration step, but worth double-checking the diff wasn't hand-edited anywhere.
  • Link this PR to the tracking issue for the case-sensitivity leak so the fix has a documented origin.
  • Consider normalizing `login` to lowercase at write time too (or adding a computed column) so ledger rows themselves are canonical, not just the read query.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 45 registered-repo PR(s), 37 merged, 409 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 45 PR(s), 409 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 45 PR(s), 409 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@loopover-orb loopover-orb Bot added the manual-review Gittensor contributor context label Jul 12, 2026
@JSONbored
JSONbored force-pushed the codex/fix-login-casing-vulnerability branch from 7e1f312 to 7063d30 Compare July 12, 2026 09:46
@JSONbored
JSONbored merged commit 0dcbf81 into main Jul 12, 2026
18 checks passed
@JSONbored
JSONbored deleted the codex/fix-login-casing-vulnerability branch July 12, 2026 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant