mirror of
https://github.com/github/awesome-copilot.git
synced 2026-07-14 01:51:02 +00:00
Add canvas schema validation to extension submission workflow (#2161)
* Add canvas schema and extension submission checks Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: use namespace import for js-yaml Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Fix contributors page build markup Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Address PR feedback on canvas schema validation - Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes - Fix screenshot path regex to prevent .. traversal segments - Validate canvas.schema.json is parseable JSON even on schema-only PRs Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Harden canvas extension workflow against injection attacks Switch from newline to null-terminated git diff output (git diff -z) so filenames containing newlines are read atomically, matching the existing skill-check.yml pattern. Add an allowlist regex guard on the extracted extension directory name immediately after it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g. names containing dollar signs, parentheses, spaces, or other shell metacharacters) is silently skipped before being used anywhere in the script. Add a matching allowlist guard on each screenshot path extracted from canvas.json before the file-existence check, so a crafted manifest cannot supply a path with shell metacharacters or traversal segments even after the schema check passes. Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236 and #1240. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Replace ajv-cli with in-repo schema validator - Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies - Add eng/validate-json-schema.mjs using ajv + ajv-formats - Update validate-canvas-extensions workflow to use local script - Use npm ci --ignore-scripts in PR validation job Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -0,0 +1,75 @@
|
||||
#!/usr/bin/env node
|
||||
|
||||
import fs from "fs";
|
||||
import path from "path";
|
||||
import Ajv from "ajv";
|
||||
import addFormats from "ajv-formats";
|
||||
|
||||
function parseArgs(argv) {
|
||||
const args = { schema: null, data: null };
|
||||
for (let i = 2; i < argv.length; i += 1) {
|
||||
const arg = argv[i];
|
||||
if (arg === "--schema") {
|
||||
args.schema = argv[i + 1] || null;
|
||||
i += 1;
|
||||
} else if (arg === "--data") {
|
||||
args.data = argv[i + 1] || null;
|
||||
i += 1;
|
||||
}
|
||||
}
|
||||
return args;
|
||||
}
|
||||
|
||||
function readJson(filePath) {
|
||||
const content = fs.readFileSync(filePath, "utf8");
|
||||
return JSON.parse(content);
|
||||
}
|
||||
|
||||
const args = parseArgs(process.argv);
|
||||
if (!args.schema) {
|
||||
console.error("Missing required argument: --schema <path>");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const schemaPath = path.resolve(process.cwd(), args.schema);
|
||||
let schema;
|
||||
try {
|
||||
schema = readJson(schemaPath);
|
||||
} catch (error) {
|
||||
console.error(`Invalid schema JSON at ${args.schema}: ${error.message}`);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const ajv = new Ajv({ strict: false, allErrors: true });
|
||||
addFormats(ajv);
|
||||
|
||||
let validate;
|
||||
try {
|
||||
validate = ajv.compile(schema);
|
||||
} catch (error) {
|
||||
console.error(`Invalid schema at ${args.schema}: ${error.message}`);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (!args.data) {
|
||||
console.log(`Schema is valid: ${args.schema}`);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
const dataPath = path.resolve(process.cwd(), args.data);
|
||||
let data;
|
||||
try {
|
||||
data = readJson(dataPath);
|
||||
} catch (error) {
|
||||
console.error(`Invalid data JSON at ${args.data}: ${error.message}`);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const valid = validate(data);
|
||||
if (!valid) {
|
||||
const message = ajv.errorsText(validate.errors, { separator: "; " });
|
||||
console.error(`Schema validation failed for ${args.data}: ${message}`);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
console.log(`Schema validation passed: ${args.data}`);
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
// YAML parser for frontmatter parsing using vfile-matter
|
||||
import fs from "fs";
|
||||
import yaml from "js-yaml";
|
||||
import * as yaml from "js-yaml";
|
||||
import path from "path";
|
||||
import { VFile } from "vfile";
|
||||
import { matter } from "vfile-matter";
|
||||
|
||||
Reference in New Issue
Block a user