Dev #1578
Dev #1578
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Annotations from the provided diff:Linter: no-fix-mes
Linter: grumpy-devSarcastic, grumpy breakdown of the changes:
Linter: diagramsThe diagram represents the removal and addition of workflows and a minor configuration adjustment. graph TD
A[.github/workflows/genai-blog-post.yml] -->|Removed| X[No Build Logic]
A[astro core getting bumped,decoupled docs.yaml improvement]
--- content blogs/tags split mgd
direct JSON observation breakable]
Linter: no-fix-mes
Linter: grumpy-devSarcastic, grumpy breakdown of the changes:
Linter: diagramsHere is a corrected mermaid diagram for the changes: graph TD
A[.github/workflows/genai-blog-post.yml] -->|Removed| X[No Build Logic]
B[.github/workflows/custom-action.yml] -->|Added| C[Custom Workflow Logic]
D[docs/astro.config.mjs] -->|Updated| E[Astro Configuration]
F[docs/package.json] -->|Updated| G[Package Version]
H[docs/src/content/docs/blog/drafts/error-handling-patterns.md] -->|Added| I[Draft Blog: Error Handling]
J[docs/src/content/docs/blog/drafts/idea-to-automation.md] -->|Added| K[Draft Blog: Idea to Automation]
Summary Table (Linter: stats):
|
- Added INPUT_GITHUB_TOKEN fallback for GITHUB_TOKEN detection. - Enhanced event issue/pull_request resolution logic in GitHub client.
* ✨ feat: enhance input file handling from environment variables in run script * parse models from input_ * docs * refactor: comment out unused test for gist in run tests
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| // Regular expression for matching GitHub Flavored Markdown style warnings. | ||
| // Example: > [!WARNING] | ||
| // > This is a warning message. | ||
| const GITHUB_MARKDOWN_WARNINGS_RX = | ||
| /^\s*>\s*\[!(?<severity>NOTE|TIP|IMPORTANT|WARNING|CAUTION)\]\s*\n>\s*(?<message>.+)(?:\s*\n>\s*.*?)*?$/gim | ||
| /^\s*>\s*\[!(?<severity>NOTE|TIP|IMPORTANT|WARNING|CAUTION)\]\s*\n>\s*(?<message>.+)(?:\s*\n>\s*.*?)*?$/gim; |
Check failure
Code scanning / CodeQL
Inefficient regular expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
To fix the issue, we need to rewrite the regular expression to eliminate the ambiguity caused by .*?. Specifically, we can replace .*? with a more precise pattern that matches the intended input without introducing ambiguity. For example, instead of using .*? to match any sequence of characters lazily, we can use a pattern that excludes newline characters or other specific delimiters. This ensures that the regular expression performs efficiently even for edge cases.
The changes will be made to the GITHUB_MARKDOWN_WARNINGS_RX regular expression on line 36. The updated pattern will explicitly match the intended structure of GitHub Flavored Markdown warnings while avoiding ambiguous constructs.
| @@ -35,3 +35,3 @@ | ||
| const GITHUB_MARKDOWN_WARNINGS_RX = | ||
| /^\s*>\s*\[!(?<severity>NOTE|TIP|IMPORTANT|WARNING|CAUTION)\]\s*\n>\s*(?<message>.+)(?:\s*\n>\s*.*?)*?$/gim; | ||
| /^\s*>\s*\[!(?<severity>NOTE|TIP|IMPORTANT|WARNING|CAUTION)\]\s*\n>\s*(?<message>[^\n]+)(?:\s*\n>\s*[^\n]*)*$/gim; | ||
|
|
| } | ||
| // Enclose in quotes if the value contains newlines or quotes, and escape quotes | ||
| if (value.includes("\n") || value.includes('"')) { | ||
| value = value.replace(/"/g, '\\"'); // Escape existing quotes |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
To fix the issue, the value.replace operation should be updated to escape both double quotes and backslashes. This can be achieved by chaining two replace calls or using a single regular expression that matches both characters. The best approach is to use a single regular expression with a global flag to ensure all occurrences are replaced. This ensures that the output is properly escaped and consistent with expected dotenv formatting.
Changes will be made to the dotEnvStringify function in the file packages/core/src/dotenv.ts. Specifically, the line value.replace(/"/g, '\\"') will be replaced with value.replace(/["\\]/g, '\\$&'), which escapes both double quotes and backslashes.
| @@ -51,3 +51,3 @@ | ||
| if (value.includes("\n") || value.includes('"')) { | ||
| value = value.replace(/"/g, '\\"'); // Escape existing quotes | ||
| value = value.replace(/["\\]/g, '\\$&'); // Escape double quotes and backslashes | ||
| return `${key}="${value}"`; |
|
|
||
| return text | ||
| if (/file=\w+\.\w+/.test(label)) { | ||
| const m = /^\s*\`{3,}\w*\r?\n((.|\s)*)\r?\n\`{3,}\s*$/.exec(text); |
Check failure
Code scanning / CodeQL
Inefficient regular expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
To fix the issue, we need to rewrite the regular expression to remove the ambiguity caused by (.|\s)*. Instead of using (.|\s)*, we can use a more specific pattern that matches any character except backticks (```) directly. This avoids the ambiguity and ensures efficient matching.
The updated regular expression will replace (.|\s)* with [^\]*`, which matches zero or more characters that are not backticks. This change preserves the original functionality while eliminating the risk of exponential backtracking.
The fix will be applied to line 165 in the normalize function within the file packages/core/src/fence.ts.
| @@ -164,3 +164,3 @@ | ||
| if (/file=\w+\.\w+/.test(label)) { | ||
| const m = /^\s*\`{3,}\w*\r?\n((.|\s)*)\r?\n\`{3,}\s*$/.exec(text); | ||
| const m = /^\s*\`{3,}\w*\r?\n([^\`]*)\r?\n\`{3,}\s*$/.exec(text); | ||
| if (m) return m[1]; |
| ? `defAudio("${c.input_audio}")` | ||
| : `unknown message` | ||
| const renderJinja = (content: string) => | ||
| `$\`${content.replace(/`/g, "\\`")}\`${/\{(%|\{)/.test(content) ? `.jinja(env.vars)` : ""}`; |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
To fix the issue, the content.replace function should be updated to escape both backticks () and backslashes (`). This can be achieved by using a regular expression with the global flag (g) to match both characters and replace them appropriately. Specifically, backslashes should be escaped first to avoid double escaping issues when processing backticks.
The updated code will ensure that all occurrences of backslashes and backticks are escaped, making the string safe for further processing. The fix will be applied to the renderJinja function on line 145.
| @@ -144,3 +144,3 @@ | ||
| const renderJinja = (content: string) => | ||
| `$\`${content.replace(/`/g, "\\`")}\`${/\{(%|\{)/.test(content) ? `.jinja(env.vars)` : ""}`; | ||
| `$\`${content.replace(/\\/g, "\\\\").replace(/`/g, "\\`")}\`${/\{(%|\{)/.test(content) ? `.jinja(env.vars)` : ""}`; | ||
| const renderPart = (c: ChatCompletionContentPart) => |
| .filter((s) => s !== undefined && s !== null) | ||
| .map((l) => (l === "*" ? ".*?" : l.replace(/[^a-z0-9_]/gi, ""))) | ||
| .join("|"); | ||
| const startRx = new RegExp(`^[\r\n\s]*(\`{3,})(${lg})\s*\r?\n`, "i"); |
Check failure
Code scanning / CodeQL
Useless regular-expression character escape High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
To fix the issue, the escape sequence \s in the string literal should be properly escaped as \\s. This ensures that the backslash is preserved when the string is converted into a regular expression, and the intended meaning of \s as a whitespace character is retained.
The fix involves updating the regular expression string on line 21 to use \\s instead of \s. Similarly, the regular expression on line 25 also contains \s and should be updated to \\s for consistency and correctness.
| @@ -20,3 +20,3 @@ | ||
| .join("|"); | ||
| const startRx = new RegExp(`^[\r\n\s]*(\`{3,})(${lg})\s*\r?\n`, "i"); | ||
| const startRx = new RegExp(`^[\\r\\n\\s]*(\`{3,})(${lg})\\s*\\r?\\n`, "i"); | ||
| const mstart = startRx.exec(text); | ||
| @@ -24,3 +24,3 @@ | ||
| const n = mstart[1].length; | ||
| const endRx = new RegExp(`\r?\n\`{${n},${n}}[\r\n\s]*$`, "i"); | ||
| const endRx = new RegExp(`\\r?\\n\`{${n},${n}}[\\r\\n\\s]*$`, "i"); | ||
| const mend = endRx.exec(text); |
| .filter((s) => s !== undefined && s !== null) | ||
| .map((l) => (l === "*" ? ".*?" : l.replace(/[^a-z0-9_]/gi, ""))) | ||
| .join("|"); | ||
| const startRx = new RegExp(`^[\r\n\s]*(\`{3,})(${lg})\s*\r?\n`, "i"); |
Check failure
Code scanning / CodeQL
Useless regular-expression character escape High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
To fix the issue, the \s escape sequence in the string literal should be replaced with \\s. This ensures that the backslash is correctly interpreted as part of the regular expression when the string is passed to the RegExp constructor. Similarly, any other escape sequences in the regular expression should be reviewed and corrected if necessary.
The specific changes are:
- Update the
startRxregular expression on line 21 to use\\sinstead of\s. - Update the
endRxregular expression on line 25 to use\\sinstead of\s.
| @@ -20,3 +20,3 @@ | ||
| .join("|"); | ||
| const startRx = new RegExp(`^[\r\n\s]*(\`{3,})(${lg})\s*\r?\n`, "i"); | ||
| const startRx = new RegExp(`^[\\r\\n\\s]*(\`{3,})(${lg})\\s*\\r?\\n`, "i"); | ||
| const mstart = startRx.exec(text); | ||
| @@ -24,3 +24,3 @@ | ||
| const n = mstart[1].length; | ||
| const endRx = new RegExp(`\r?\n\`{${n},${n}}[\r\n\s]*$`, "i"); | ||
| const endRx = new RegExp(`\\r?\\n\`{${n},${n}}[\\r\\n\\s]*$`, "i"); | ||
| const mend = endRx.exec(text); |
| const mstart = startRx.exec(text); | ||
| if (mstart) { | ||
| const n = mstart[1].length; | ||
| const endRx = new RegExp(`\r?\n\`{${n},${n}}[\r\n\s]*$`, "i"); |
Check failure
Code scanning / CodeQL
Useless regular-expression character escape High
* [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * agent yarn -> pnpm * [core] Migrate to pnpm * upgrad eto v4 * fix order * fix web build * bulid vscode * chore: update dependencies and refactor imports in core package * chore: add execa and types for memorystream; update file handling in NodeHost * chore: update package.json and pnpm-lock.yaml with new dependencies * add build step * chore: simplify build step in workflow configuration * [core] Migrate to pnpm * fix: correct file path in CLI commands in package.json * [core] Migrate to pnpm * fix: update type for writeJSON parameter and enhance model reference in prompt context * bump to v2 * [core] Migrate to pnpm * [core] Migrate to pnpm * [core] Migrate to pnpm * ignore .tgz * [core] Migrate to pnpm * half broken paths * [core] Migrate to pnpm * refactor: replace fs-extra ensureDir import with @genaiscript/core * chore: update dependencies and replace rmdir with rm for directory removal * feat: add support for C++ language in grep functionality * chore: update packageManager to pnpm@10.12.1 and restore pyodide tests * fix: update test scripts and add ini as a devDependency for modulesample * migrate to new cli location * ✨ chore: Update and streamline project configuration Aligned configs, fixed formatting, and modernized dependencies. * ✅: Update test script to enforce direct execution The `test` script now uses `vitest --run` for immediate test runs. * fix: reduce maxTokens limit in GIT_DIFF to optimize performance * fix: update CLI constant and refactor test scripts to use Vitest * refactor: remove unused Playwright dependency installation and streamline browser launch process * fix: update import paths from "genaiscript/runtime" to "@genaiscript/runtime" across multiple files * feat: add runtime dependency to sample and modulesample packages; remove unused files and update llms script for documentation generation * feat: add documentation generation script and update package dependencies * fix: update import paths from "genaiscript/runtime" and "genaiscript/api" to "@genaiscript/runtime" and "@genaiscript/api" across multiple documentation files * fix: import getModulePaths from "@genaiscript/core" for module path resolution * fix: update import path from "genaiscript/api" to "@genaiscript/api" in GenAIScriptApiProvider * fix: update import statement for GenAIScriptApiProvider and add workspace dependency for @genaiscript/api * fix: update test command examples to remove npx and clarify dependency requirement for @genaiscript/api * fix: add error handling for empty response from GenAIScript API * fix: refactor port handling in net module for improved type safety and async support * Add 'docs' directory to pnpm workspace packages * fix: update Playwright installation commands and dependencies in workflows and package files * fix: update import paths in documentation for consistency and accuracy * fix: update dependencies and remove unused samples from documentation * fix: remove unused imports and code references in lint documentation * fix: update PDF parsing logic to use moduleResolve for worker source path * adding broken worker test * moving testhost to core, adding runtime tests * test: add cache clearing test with vitest * fix: update test command to run vitest and remove obsolete test file * chore: remove obsolete install commands from package.json * towards a working worker * chore: update package.json files and adjust buildProject function parameters * feat: enhance API functionality and add initial script support * fix: correct logging to use __dirname instead of __filename * feat: add sidebyside worker path resolution and update error log * some readmes * refactor: clean up moduleResolve function and improve comments * feat: add pyodide test script and improve logging in Pyodide runtime * notes about release it * feat: update dependencies in pnpm-lock.yaml and remove unused node-sarif-builder * feat: update inflection dependency to use catalog and replace fs-extra with core functions * feat: add node-sarif-builder dependency to core package * cli needs typescript * feat: remove TypeScript types documentation and associated image * feat: update workflow scripts to use 'pnpm build:cli' instead of 'pnpm compile:action' * feat: update build workflow to use 'pnpm run build:ci' and add core tests * feat: update scripts to use 'pnpm dlx' for package execution * feat: enhance XML parsing with error logging and update test timeouts * feat: update build:cli script to exclude specific packages from build process * feat: update workflows to replace 'yarn' with 'pnpm' for consistency in package management * feat: add pnpm action setup to GitHub workflows for improved package management * feat: add playwright installation step to GitHub workflow * feat: rename ffmpeg installation script for consistency * feat: add check before removing directory to prevent errors * refactor: migrate from yarn to pnpm in various scripts and documentation - Updated package.json scripts to use pnpm instead of yarn for genai commands. - Modified README updater documentation to reflect the change from yarn to pnpm. - Changed comments in show_n_tell.genai.mjs to use pnpm commands. - Updated vscode package.json to use pnpm for prepublish script. - Removed force install script from slides package.json. * feat: update GitHub workflows to use 'test:ci' for consistency and remove obsolete package.json in API --------- Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>
| } | ||
| // Match against TypeScript, GitHub, and Azure DevOps regex patterns. | ||
| for (const rx of ANNOTATIONS_RX) { | ||
| for (const m of text.matchAll(rx)) addAnnotation(m); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return text?.replace(GITHUB_MARKDOWN_WARNINGS_RX, (s, ...args) => { | ||
| const groups = args.at(-1); | ||
| const { severity, message, suggestion } = groups; | ||
| const sev = SEV_MAP[severity?.toLowerCase()] ?? "info"; | ||
| const d = deleteUndefinedValues({ | ||
| severity: sev, | ||
| filename: "", | ||
| range: [ | ||
| [0, 0], // Start of range, 0-based index | ||
| [0, Number.MAX_VALUE], // End of range, max value for columns | ||
| ], | ||
| code: "", | ||
| message, | ||
| suggestion, | ||
| }) satisfies Diagnostic; | ||
| return convertAnnotationToItem(d); | ||
| }); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return text | ||
| ?.replace( | ||
| GITHUB_ANNOTATIONS_RX, | ||
| ( | ||
| _, | ||
| severity, | ||
| file, | ||
| line, | ||
| endLine, | ||
| __, | ||
| code, | ||
| message, | ||
| suggestion, | ||
| ) => `> [!${severities[severity] || severity}] | ||
| > ${message} (${file}#L${line} ${code || ""}) | ||
| ${suggestion ? `\`\`\`suggestion\n${suggestion}\n\`\`\`\n` : ""} | ||
| ` | ||
| ) | ||
| ?.replace( | ||
| AZURE_DEVOPS_ANNOTATIONS_RX, | ||
| (_, severity, file, line, __, code, message) => { | ||
| return `> [!${severities[severity] || severity}] ${message} | ||
| `, | ||
| ) |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return text | ||
| ?.replace(/\[([^\]]+)\]\([^)]+\)/g, (m, n) => n) | ||
| ?.replace(/<\/?([^>]+)>/g, "") | ||
| return text?.replace(/\[([^\]]+)\]\([^)]+\)/g, (m, n) => n)?.replace(/<\/?([^>]+)>/g, ""); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
packages/core/test/changelog.test.ts
Outdated
| const source = `ChangeLog:1@email_validator.py | ||
| Description: Implement a function to validate both email addresses and URLs. | ||
| OriginalCode@1-3: | ||
| [1] # Placeholder for email validation logic | ||
| [2] | ||
| [3] # Placeholder for URL validation logic | ||
| ChangedCode@1-10: | ||
| [1] import re | ||
| [2] | ||
| [3] def validate_email(email): | ||
| [4] # Simple regex pattern for validating an email address | ||
| [5] pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$' | ||
| [6] return re.match(pattern, email) is not None | ||
| [7] | ||
| [8] def validate_url(url): | ||
| [9] # Simple regex pattern for validating a URL | ||
| [10] pattern = r'^https?:\/\/[\w.-]+\.[a-zA-Z]{2,}.*$' | ||
| [11] return re.match(pattern, url) is not None | ||
| [12] | ||
| [13] def validate_email_and_url(email, url): | ||
| [14] return validate_email(email) and validate_url(url) | ||
| ` | ||
| const res = parseChangeLogs(source) | ||
| assert.equal(res.length, 1) | ||
| assert.equal(res[0].filename, "email_validator.py") | ||
| }) | ||
| `; |
Check failure
Code scanning / CodeQL
Useless regular-expression character escape High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
To fix the issue, ensure that the escape sequence \. is used correctly in the context of the regular expression or string literal. If the goal is to match a literal dot, ensure that the backslash is properly escaped when using a string literal (e.g., '\\.'). If the escape sequence is unnecessary, remove the backslash to avoid confusion and potential errors.
In this case, we will review the relevant code and adjust the escape sequence as needed to ensure the regular expression behaves as intended.
| @@ -56,3 +56,3 @@ | ||
| [4] # Simple regex pattern for validating an email address | ||
| [5] pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$' | ||
| [5] pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$' | ||
| [6] return re.match(pattern, email) is not None | ||
| @@ -61,3 +61,3 @@ | ||
| [9] # Simple regex pattern for validating a URL | ||
| [10] pattern = r'^https?:\/\/[\w.-]+\.[a-zA-Z]{2,}.*$' | ||
| [10] pattern = r'^https?:\\/\\/[\\w.-]+\\.[a-zA-Z]{2,}.*$' | ||
| [11] return re.match(pattern, url) is not None |
| "https://github.com/user-attachments/assets/a6e1935a-868e-4cca-9531-ad0ccdb9eace", | ||
| ); | ||
| assert(resolved); | ||
| assert(resolved.includes("githubusercontent.com")); |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the issue, the test should parse the resolved URL using the URL constructor and explicitly check the host property to ensure it matches the expected domain (githubusercontent.com). This approach ensures that the validation is performed on the actual host of the URL, rather than relying on substring matching, which can be bypassed.
The changes will involve:
- Parsing the
resolvedURL using theURLconstructor. - Replacing the
resolved.includes("githubusercontent.com")check with a strict comparison of thehostproperty.
| @@ -122,3 +122,4 @@ | ||
| assert(resolved); | ||
| assert(resolved.includes("githubusercontent.com")); | ||
| const parsedUrl = new URL(resolved); | ||
| assert(parsedUrl.host === "githubusercontent.com"); | ||
| }); | ||
| @@ -129,3 +130,4 @@ | ||
| console.log(resolved); | ||
| assert(resolved.includes("githubusercontent.com")); | ||
| const parsedUrl = new URL(resolved); | ||
| assert(parsedUrl.host === "githubusercontent.com"); | ||
| }); |
| "https://github.com/user-attachments/assets/f7881bef-931d-4f76-8f63-b4d12b1f021e", | ||
| ); | ||
| console.log(resolved); | ||
| assert(resolved.includes("githubusercontent.com")); |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the issue, replace the substring check resolved.includes("githubusercontent.com") with a proper validation of the host component of the URL. This involves parsing the URL using the URL constructor and checking if the host matches the expected value (githubusercontent.com). This ensures that the test correctly validates the resolved URL's host and prevents false positives caused by substring matches in other parts of the URL.
Changes are required in the test cases where resolved.includes("githubusercontent.com") is used. Specifically, lines 123 and 130 need to be updated to use the URL constructor for host validation.
| @@ -122,3 +122,4 @@ | ||
| assert(resolved); | ||
| assert(resolved.includes("githubusercontent.com")); | ||
| const parsedUrl = new URL(resolved); | ||
| assert(parsedUrl.host === "githubusercontent.com"); | ||
| }); | ||
| @@ -129,3 +130,4 @@ | ||
| console.log(resolved); | ||
| assert(resolved.includes("githubusercontent.com")); | ||
| const parsedUrl = new URL(resolved); | ||
| assert(parsedUrl.host === "githubusercontent.com"); | ||
| }); |
| value = { model: value, source }; | ||
| } | ||
| const aliases = this._modelAliases[source]; | ||
| const c = aliases[id] || (aliases[id] = { source }); |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 18 hours ago
To fix the issue, we need to ensure that the object aliases is resilient to prototype pollution. This can be achieved by using a prototype-less object created with Object.create(null) instead of a regular object. This approach ensures that even if a malicious key like __proto__ is injected, it won't affect Object.prototype.
Steps to fix:
- Modify the initialization of
aliasesto useObject.create(null)instead of{}. - Ensure that all assignments to
aliasesare compatible with the prototype-less object.
| @@ -187,3 +187,3 @@ | ||
| dbg(`clearing modelAlias for source: ${source}`); | ||
| this._modelAliases[source] = {}; | ||
| this._modelAliases[source] = Object.create(null); | ||
| } | ||
| @@ -205,3 +205,3 @@ | ||
| const aliases = this._modelAliases[source]; | ||
| const c = aliases[id] || (aliases[id] = { source }); | ||
| const c = aliases[id] || (aliases[id] = Object.assign(Object.create(null), { source })); | ||
| if (value === undefined || value.model === id) { |
| const c = aliases[id] || (aliases[id] = { source }); | ||
| if (value === undefined || value.model === id) { | ||
| dbg(`alias ${id}: deleting (source: ${source})`); | ||
| delete aliases[id]; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 18 hours ago
To fix the issue, we need to ensure that the aliases object is resilient to prototype pollution. The best approach is to replace the aliases object with a prototype-less object created using Object.create(null). This ensures that even if a malicious key like __proto__ is used, it will not affect Object.prototype. Additionally, the existing check for dangerous keys should be retained as an extra layer of protection.
Changes to implement:
- Modify the initialization of
aliasesto useObject.create(null)instead of a regular object. - Ensure that all assignments to
aliasesare compatible with the prototype-less object. - Retain the check for dangerous keys (
__proto__,prototype,constructor) to prevent misuse.
| @@ -187,3 +187,3 @@ | ||
| dbg(`clearing modelAlias for source: ${source}`); | ||
| this._modelAliases[source] = {}; | ||
| this._modelAliases[source] = Object.create(null); | ||
| } | ||
| @@ -204,3 +204,3 @@ | ||
| } | ||
| const aliases = this._modelAliases[source]; | ||
| const aliases = this._modelAliases[source] || (this._modelAliases[source] = Object.create(null)); | ||
| const c = aliases[id] || (aliases[id] = { source }); |
* fix: remove references to PROMPTY_REGEX in multiple files and update related logic * fix: add pnpm/action-setup step in genai pull request review workflow
…ow details and quality evaluation strategies
* indexing * feat: implement initial document search script with query handling * feat: enhance logging for vector search and indexing operations * feat: enhance response generation with structured system prompt * feat: enhance documentation search functionality with query rewriting and improved logging * fix: update test:fix script to correct output file extension for TypeScript definitions * feat: add documentation files for GenAIScript code generation instructions and type definitions * fix: update llmstxt_index and llmstxt_search scripts for improved error handling and structure feat: modify llmstxt.json to include additional TypeScript definition file for genaiscript
- Bump @eslint/js from ^9.29.0 to ^9.30.1 - Bump @inquirer/prompts from ^7.5.3 to ^7.6.0 - Update @types/mdast to 4.0.4 - Bump eslint from ^9.29.0 to ^9.30.1 - Bump es-toolkit from ^1.39.3 to ^1.39.6 - Bump typescript-eslint from ^8.34.1 to ^8.35.1 - Add zod at ^3.25.71
…ckage.json and pnpm-lock.yaml
…n to include secret handling
…DME and action.yml; update actionConfigure function to use backticks for consistency
… GitHub Actions workflow
…and improve test coverage
… and clean up code
Investigator reportContext collection
AI Analysis
|
…tests for autolinks, footnotes, task lists, definition lists, and math expressions
Dev branch.