Add allowed domains from network config to sanitization environment variable#2138
Closed
Add allowed domains from network config to sanitization environment variable#2138
Conversation
- Create computeAllowedDomainsForSanitization helper function - Combine default GitHub domains with network permissions - Set GH_AW_ALLOWED_DOMAINS environment variable in compiled workflows - Add comprehensive unit and integration tests - Recompile all workflow lock files with new allowed domains Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add environment variable for allowed domains in URL validation
Add allowed domains from network config to sanitization environment variable
Oct 22, 2025
pelikhan
reviewed
Oct 22, 2025
pkg/workflow/compiler.go
Outdated
| // by combining default GitHub domains with domains from network permissions | ||
| func computeAllowedDomainsForSanitization(data *WorkflowData) []string { | ||
| // Start with default GitHub-related domains that match the JavaScript defaults | ||
| defaultDomains := []string{ |
Contributor
There was a problem hiding this comment.
@copilot use existing default domains from network.go
Contributor
Author
There was a problem hiding this comment.
Done. Moved the default GitHub domains to constants.DefaultSanitizationDomains in pkg/constants/constants.go and updated the compiler and tests to use this constant instead of hardcoding the domains. This centralizes the domain list for easier maintenance. (f7801f5)
- Move DefaultSanitizationDomains to pkg/constants/constants.go - Update computeAllowedDomainsForSanitization to use constants.DefaultSanitizationDomains - Update tests to use the constant instead of hardcoded arrays - Simplifies maintenance and ensures consistency across codebase Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
pelikhan
reviewed
Oct 22, 2025
pkg/constants/constants.go
Outdated
|
|
||
| // DefaultSanitizationDomains defines the default GitHub-related domains | ||
| // that are always allowed in output sanitization | ||
| var DefaultSanitizationDomains = []string{ |
Contributor
There was a problem hiding this comment.
- remove, use default domains in domains.go instead
- make sure these domains are in the default set
Contributor
Author
There was a problem hiding this comment.
Done. Created github-sanitization ecosystem in ecosystem_domains.json and updated ComputeAllowedDomainsForSanitization to always include these domains. (10a09a3)
pkg/constants/constants.go
Outdated
| @@ -60,6 +60,17 @@ const DefaultMCPStartupTimeoutSeconds = 120 | |||
| // that are always allowed for Playwright browser automation | |||
| var DefaultAllowedDomains = []string{"localhost", "localhost:*", "127.0.0.1", "127.0.0.1:*"} | |||
pkg/workflow/compiler.go
Outdated
| // needsGitCommands checks if safe outputs configuration requires Git commands | ||
| // computeAllowedDomainsForSanitization computes the list of allowed domains for output sanitization | ||
| // by combining default GitHub domains with domains from network permissions | ||
| func computeAllowedDomainsForSanitization(data *WorkflowData) []string { |
- Add github-sanitization ecosystem to ecosystem_domains.json - Add playwright-localhost ecosystem to ecosystem_domains.json - Move ComputeAllowedDomainsForSanitization from compiler.go to domains.go - Remove DefaultSanitizationDomains and DefaultAllowedDomains from constants.go - Update all references to use ecosystem domains instead - Sanitization always includes github-sanitization domains plus network permissions Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ariable Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
sanitize_output.cjsJavaScript file has hardcoded default allowed domains, but it should receive the combined set of:networkfrontmatter configurationSolution
This PR provides allowed domains to the JavaScript sanitization code via the
GH_AW_ALLOWED_DOMAINSenvironment variable by combining default GitHub domains with network permission domains.Implementation
Domain Management in Ecosystem System:
github-sanitizationecosystem inecosystem_domains.jsoncontaining default GitHub domains (github.com, github.io, githubusercontent.com, githubassets.com, github.dev, codespaces.new)playwright-localhostecosystem inecosystem_domains.jsonfor localhost domainsComputeAllowedDomainsForSanitizationfunction todomains.goto centralize domain managementconstants.go- all domain lists now managed through the ecosystem systemWorkflow Compilation:
GH_AW_ALLOWED_DOMAINSenvironment variable in generated workflowsHow It Works:
ComputeAllowedDomainsForSanitization()retrieves domains from network permissions usingGetAllowedDomains()github-sanitizationecosystemGH_AW_ALLOWED_DOMAINSExample
For a workflow with:
The compiled workflow includes:
This provides:
Testing
Benefits
ecosystem_domains.jsonOriginal prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.