Skip to content

fix(config_file): refuse breaklines in config dict#169

Merged
mdevolde merged 1 commit into
jxmorris12:masterfrom
mdevolde:fix/config_breakline
May 14, 2026
Merged

fix(config_file): refuse breaklines in config dict#169
mdevolde merged 1 commit into
jxmorris12:masterfrom
mdevolde:fix/config_breakline

Conversation

@mdevolde
Copy link
Copy Markdown
Collaborator

@mdevolde mdevolde commented May 14, 2026

fix(config_file): refuse breaklines in config dict

Why the pull request was made

To avoid that, if a part of the config come from an untrusted source, a config value could break a line and insert other config params.

Summary of changes

  • Check line breaks in config values and refuse them.

Screenshots (if appropriate):

Not applicable.

How has this been tested?

Applied local tests (inlcuding new ones about our issue).

Resources

Not applicable.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update (changes to documentation only)
  • Refactor / code style update (non-breaking change that improves code structure or readability)
  • Tests / CI improvement (adding or updating tests or CI configuration only)
  • Other (please describe):

Checklist

  • Followed the project's contributing guidelines.
  • Updated any relevant tests.
  • Updated any relevant documentation.
  • Added comments to your code where necessary.
  • Formatted your code, run the linters, checked types and tests.

@mdevolde mdevolde self-assigned this May 14, 2026
@mdevolde mdevolde requested a review from Copilot May 14, 2026 21:55
Copilot AI reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens LanguageTool local server config serialization by rejecting CR/LF characters that could escape the generated one-option-per-line config file format.

Changes:

  • Adds a helper to reject \n and \r in config keys and encoded values.
  • Applies the validation across language-specific options, path options, and schema-backed options.
  • Adds parametrized tests for newline injection attempts in keys, scalar values, and list values.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
language_tool_python/config_file.py Adds CR/LF validation during config encoding before temporary config file creation.
tests/test_config.py Adds regression coverage for line-break injection in config serialization.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread language_tool_python/config_file.py
@mdevolde mdevolde force-pushed the fix/config_breakline branch from 51bdf34 to b70d708 Compare May 14, 2026 22:02
@mdevolde mdevolde merged commit eff9bbb into jxmorris12:master May 14, 2026
8 checks passed
@mdevolde mdevolde deleted the fix/config_breakline branch May 14, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@mdevolde mdevolde

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mdevolde