mirror of
https://github.com/github/awesome-copilot.git
synced 2026-07-14 18:11:01 +00:00
79cda6bb19
* Add canvas schema and extension submission checks Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: use namespace import for js-yaml Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Fix contributors page build markup Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Address PR feedback on canvas schema validation - Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes - Fix screenshot path regex to prevent .. traversal segments - Validate canvas.schema.json is parseable JSON even on schema-only PRs Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Harden canvas extension workflow against injection attacks Switch from newline to null-terminated git diff output (git diff -z) so filenames containing newlines are read atomically, matching the existing skill-check.yml pattern. Add an allowlist regex guard on the extracted extension directory name immediately after it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g. names containing dollar signs, parentheses, spaces, or other shell metacharacters) is silently skipped before being used anywhere in the script. Add a matching allowlist guard on each screenshot path extracted from canvas.json before the file-existence check, so a crafted manifest cannot supply a path with shell metacharacters or traversal segments even after the schema check passes. Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236 and #1240. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Replace ajv-cli with in-repo schema validator - Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies - Add eng/validate-json-schema.mjs using ajv + ajv-formats - Update validate-canvas-extensions workflow to use local script - Use npm ci --ignore-scripts in PR validation job Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
75 lines
1.7 KiB
JavaScript
75 lines
1.7 KiB
JavaScript
#!/usr/bin/env node
|
|
|
|
import fs from "fs";
|
|
import path from "path";
|
|
import Ajv from "ajv";
|
|
import addFormats from "ajv-formats";
|
|
|
|
function parseArgs(argv) {
|
|
const args = { schema: null, data: null };
|
|
for (let i = 2; i < argv.length; i += 1) {
|
|
const arg = argv[i];
|
|
if (arg === "--schema") {
|
|
args.schema = argv[i + 1] || null;
|
|
i += 1;
|
|
} else if (arg === "--data") {
|
|
args.data = argv[i + 1] || null;
|
|
i += 1;
|
|
}
|
|
}
|
|
return args;
|
|
}
|
|
|
|
function readJson(filePath) {
|
|
const content = fs.readFileSync(filePath, "utf8");
|
|
return JSON.parse(content);
|
|
}
|
|
|
|
const args = parseArgs(process.argv);
|
|
if (!args.schema) {
|
|
console.error("Missing required argument: --schema <path>");
|
|
process.exit(1);
|
|
}
|
|
|
|
const schemaPath = path.resolve(process.cwd(), args.schema);
|
|
let schema;
|
|
try {
|
|
schema = readJson(schemaPath);
|
|
} catch (error) {
|
|
console.error(`Invalid schema JSON at ${args.schema}: ${error.message}`);
|
|
process.exit(1);
|
|
}
|
|
|
|
const ajv = new Ajv({ strict: false, allErrors: true });
|
|
addFormats(ajv);
|
|
|
|
let validate;
|
|
try {
|
|
validate = ajv.compile(schema);
|
|
} catch (error) {
|
|
console.error(`Invalid schema at ${args.schema}: ${error.message}`);
|
|
process.exit(1);
|
|
}
|
|
|
|
if (!args.data) {
|
|
console.log(`Schema is valid: ${args.schema}`);
|
|
process.exit(0);
|
|
}
|
|
|
|
const dataPath = path.resolve(process.cwd(), args.data);
|
|
let data;
|
|
try {
|
|
data = readJson(dataPath);
|
|
} catch (error) {
|
|
console.error(`Invalid data JSON at ${args.data}: ${error.message}`);
|
|
process.exit(1);
|
|
}
|
|
|
|
const valid = validate(data);
|
|
if (!valid) {
|
|
const message = ajv.errorsText(validate.errors, { separator: "; " });
|
|
console.error(`Schema validation failed for ${args.data}: ${message}`);
|
|
process.exit(1);
|
|
}
|
|
|
|
console.log(`Schema validation passed: ${args.data}`); |