From c00363d4dd6eecdba059f344320215bbd750a418 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 11 Feb 2026 11:46:05 +0000 Subject: [PATCH 1/5] Initial plan From c7f7e2a0d8f77ed588fc71664aa72f4e2dbc5446 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 11 Feb 2026 11:50:20 +0000 Subject: [PATCH 2/5] Fix PathHelpers security vulnerability and add build/lint scripts Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- build.bat | 16 ++++++++++++++++ build.sh | 11 +++++++++++ lint.bat | 16 ++++++++++++++++ lint.sh | 11 +++++++++++ src/DemaConsulting.BuildMark/PathHelpers.cs | 15 ++++++++++++++- 5 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 build.bat create mode 100755 build.sh create mode 100644 lint.bat create mode 100755 lint.sh diff --git a/build.bat b/build.bat new file mode 100644 index 0000000..8aa448d --- /dev/null +++ b/build.bat @@ -0,0 +1,16 @@ +@echo off +setlocal + +REM Restore dependencies +dotnet restore +if errorlevel 1 exit /b 1 + +REM Build the project +dotnet build --configuration Release +if errorlevel 1 exit /b 1 + +REM Run tests +dotnet test --configuration Release +if errorlevel 1 exit /b 1 + +echo Build completed successfully! diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..5383df6 --- /dev/null +++ b/build.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +# Restore dependencies +dotnet restore + +# Build the project +dotnet build --configuration Release + +# Run tests +dotnet test --configuration Release diff --git a/lint.bat b/lint.bat new file mode 100644 index 0000000..d85f8c7 --- /dev/null +++ b/lint.bat @@ -0,0 +1,16 @@ +@echo off +setlocal + +REM Run markdown linter +call npx markdownlint-cli2 "**/*.md" +if errorlevel 1 exit /b 1 + +REM Run spell checker +call npx cspell "**/*.{md,cs}" +if errorlevel 1 exit /b 1 + +REM Run YAML linter +call yamllint . +if errorlevel 1 exit /b 1 + +echo Linting completed successfully! diff --git a/lint.sh b/lint.sh new file mode 100755 index 0000000..a562889 --- /dev/null +++ b/lint.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +# Run markdown linter +npx markdownlint-cli2 "**/*.md" + +# Run spell checker +npx cspell "**/*.{md,cs}" + +# Run YAML linter +yamllint . diff --git a/src/DemaConsulting.BuildMark/PathHelpers.cs b/src/DemaConsulting.BuildMark/PathHelpers.cs index d2f8be7..d764a68 100644 --- a/src/DemaConsulting.BuildMark/PathHelpers.cs +++ b/src/DemaConsulting.BuildMark/PathHelpers.cs @@ -44,6 +44,19 @@ internal static string SafePathCombine(string basePath, string relativePath) // 1. relativePath doesn't contain ".." (path traversal) // 2. relativePath is not an absolute path (IsPathRooted check) // This ensures the combined path will always be under basePath - return Path.Combine(basePath, relativePath); + var combinedPath = Path.Combine(basePath, relativePath); + + // Additional security validation: ensure the combined path is still under the base path. + // This defense-in-depth approach protects against edge cases that might bypass the + // initial validation, ensuring the final path stays within the intended directory. + var fullBasePath = Path.GetFullPath(basePath); + var fullCombinedPath = Path.GetFullPath(combinedPath); + + if (!fullCombinedPath.StartsWith(fullBasePath, StringComparison.OrdinalIgnoreCase)) + { + throw new ArgumentException($"Invalid path component: {relativePath}", nameof(relativePath)); + } + + return combinedPath; } } From ca3033f0c6b713aaaa3e1260b4a09df8434245fc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 11 Feb 2026 11:50:55 +0000 Subject: [PATCH 3/5] Add missing sections to README (Building from Source, Project Structure, CI/CD Pipeline) Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- README.md | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) diff --git a/README.md b/README.md index e26163c..a83742b 100644 --- a/README.md +++ b/README.md @@ -203,6 +203,131 @@ Example report structure: [View Full Changelog](https://github.com/owner/repo/compare/v1.2.0...v1.2.3) ``` +## Building from Source + +### Prerequisites + +- [.NET SDK](https://dotnet.microsoft.com/download) 8.0, 9.0, or 10.0 +- [Git](https://git-scm.com/) + +### Clone and Build + +```bash +# Clone the repository +git clone https://github.com/demaconsulting/BuildMark.git +cd BuildMark + +# Build the project +dotnet build --configuration Release + +# Run tests +dotnet test --configuration Release + +# Or use the convenience scripts +./build.sh # Linux/macOS +build.bat # Windows +``` + +### Run Locally + +```bash +# Run the tool directly from source +dotnet run --project src/DemaConsulting.BuildMark --configuration Release -- --help +``` + +### Package as Tool + +```bash +# Create NuGet package +dotnet pack --configuration Release + +# Install locally for testing +dotnet tool install --global --add-source ./src/DemaConsulting.BuildMark/bin/Release DemaConsulting.BuildMark +``` + +### Linting + +The project uses several linters to ensure code quality: + +```bash +# Run all linters +./lint.sh # Linux/macOS +lint.bat # Windows + +# Or run individually +npx markdownlint-cli2 "**/*.md" # Markdown linting +npx cspell "**/*.{md,cs}" # Spell checking +yamllint . # YAML linting +dotnet format # Code formatting +``` + +## Project Structure + +```text +BuildMark/ +├── .github/ # GitHub configuration +│ ├── agents/ # GitHub Copilot agent definitions +│ ├── workflows/ # CI/CD workflow definitions +│ └── ISSUE_TEMPLATE/ # Issue templates +├── docs/ # Documentation +│ ├── guide/ # User guide +│ ├── requirements/ # Requirements documentation +│ ├── tracematrix/ # Traceability matrix +│ ├── justifications/ # Requirements justifications +│ ├── quality/ # Code quality reports +│ └── buildnotes/ # Generated build notes +├── src/ # Source code +│ └── DemaConsulting.BuildMark/ +│ ├── Context.cs # Command-line context +│ ├── Program.cs # Main entry point +│ ├── Validation.cs # Self-validation tests +│ ├── PathHelpers.cs # Safe path operations +│ └── RepositoryConnectors/ # Repository integration +├── test/ # Test projects +│ └── DemaConsulting.BuildMark.Tests/ +├── requirements.yaml # Requirements specification +├── build.sh / build.bat # Build scripts +├── lint.sh / lint.bat # Linting scripts +└── README.md # This file +``` + +## CI/CD Pipeline + +BuildMark uses GitHub Actions for continuous integration and deployment: + +### Build Workflow + +- **Trigger**: On push to main branch and pull requests +- **Platforms**: Windows and Linux +- **Frameworks**: .NET 8.0, 9.0, and 10.0 +- **Steps**: + 1. Code quality checks (markdown lint, spell check, YAML lint) + 2. Build project for all target frameworks + 3. Run self-validation tests + 4. CodeQL security analysis + 5. SonarCloud quality analysis + 6. Generate documentation (requirements, trace matrix, build notes) + 7. Upload artifacts + +### Release Workflow + +- **Trigger**: On creating a new release tag +- **Steps**: + 1. Build and test on Windows and Linux + 2. Package as NuGet tool package + 3. Publish to NuGet.org + 4. Generate release documentation + +### Quality Gates + +The CI pipeline enforces several quality gates: + +- All tests must pass +- No markdown or spell check errors +- CodeQL security scan must pass +- SonarCloud quality gate must pass +- Requirements traceability must be maintained + ## Contributing Contributions are welcome! We appreciate your interest in improving BuildMark. From 30b5c500f540dab78567ac22f959543f786110a6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 11 Feb 2026 11:56:43 +0000 Subject: [PATCH 4/5] Fix path traversal vulnerability and duplicate README heading Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- README.md | 2 +- src/DemaConsulting.BuildMark/PathHelpers.cs | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a83742b..e199680 100644 --- a/README.md +++ b/README.md @@ -205,7 +205,7 @@ Example report structure: ## Building from Source -### Prerequisites +### Development Prerequisites - [.NET SDK](https://dotnet.microsoft.com/download) 8.0, 9.0, or 10.0 - [Git](https://git-scm.com/) diff --git a/src/DemaConsulting.BuildMark/PathHelpers.cs b/src/DemaConsulting.BuildMark/PathHelpers.cs index d764a68..11252e7 100644 --- a/src/DemaConsulting.BuildMark/PathHelpers.cs +++ b/src/DemaConsulting.BuildMark/PathHelpers.cs @@ -52,7 +52,9 @@ internal static string SafePathCombine(string basePath, string relativePath) var fullBasePath = Path.GetFullPath(basePath); var fullCombinedPath = Path.GetFullPath(combinedPath); - if (!fullCombinedPath.StartsWith(fullBasePath, StringComparison.OrdinalIgnoreCase)) + // Use GetRelativePath to verify the relationship between paths + var relativeCheck = Path.GetRelativePath(fullBasePath, fullCombinedPath); + if (relativeCheck.StartsWith("..") || Path.IsPathRooted(relativeCheck)) { throw new ArgumentException($"Invalid path component: {relativePath}", nameof(relativePath)); } From 434dbc753fbeeb47ebe15ecab579a2efe46c00b8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 11 Feb 2026 12:07:29 +0000 Subject: [PATCH 5/5] Remove Building from Source, Project Structure, and CI/CD Pipeline sections from README Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- README.md | 125 ------------------------------------------------------ 1 file changed, 125 deletions(-) diff --git a/README.md b/README.md index e199680..e26163c 100644 --- a/README.md +++ b/README.md @@ -203,131 +203,6 @@ Example report structure: [View Full Changelog](https://github.com/owner/repo/compare/v1.2.0...v1.2.3) ``` -## Building from Source - -### Development Prerequisites - -- [.NET SDK](https://dotnet.microsoft.com/download) 8.0, 9.0, or 10.0 -- [Git](https://git-scm.com/) - -### Clone and Build - -```bash -# Clone the repository -git clone https://github.com/demaconsulting/BuildMark.git -cd BuildMark - -# Build the project -dotnet build --configuration Release - -# Run tests -dotnet test --configuration Release - -# Or use the convenience scripts -./build.sh # Linux/macOS -build.bat # Windows -``` - -### Run Locally - -```bash -# Run the tool directly from source -dotnet run --project src/DemaConsulting.BuildMark --configuration Release -- --help -``` - -### Package as Tool - -```bash -# Create NuGet package -dotnet pack --configuration Release - -# Install locally for testing -dotnet tool install --global --add-source ./src/DemaConsulting.BuildMark/bin/Release DemaConsulting.BuildMark -``` - -### Linting - -The project uses several linters to ensure code quality: - -```bash -# Run all linters -./lint.sh # Linux/macOS -lint.bat # Windows - -# Or run individually -npx markdownlint-cli2 "**/*.md" # Markdown linting -npx cspell "**/*.{md,cs}" # Spell checking -yamllint . # YAML linting -dotnet format # Code formatting -``` - -## Project Structure - -```text -BuildMark/ -├── .github/ # GitHub configuration -│ ├── agents/ # GitHub Copilot agent definitions -│ ├── workflows/ # CI/CD workflow definitions -│ └── ISSUE_TEMPLATE/ # Issue templates -├── docs/ # Documentation -│ ├── guide/ # User guide -│ ├── requirements/ # Requirements documentation -│ ├── tracematrix/ # Traceability matrix -│ ├── justifications/ # Requirements justifications -│ ├── quality/ # Code quality reports -│ └── buildnotes/ # Generated build notes -├── src/ # Source code -│ └── DemaConsulting.BuildMark/ -│ ├── Context.cs # Command-line context -│ ├── Program.cs # Main entry point -│ ├── Validation.cs # Self-validation tests -│ ├── PathHelpers.cs # Safe path operations -│ └── RepositoryConnectors/ # Repository integration -├── test/ # Test projects -│ └── DemaConsulting.BuildMark.Tests/ -├── requirements.yaml # Requirements specification -├── build.sh / build.bat # Build scripts -├── lint.sh / lint.bat # Linting scripts -└── README.md # This file -``` - -## CI/CD Pipeline - -BuildMark uses GitHub Actions for continuous integration and deployment: - -### Build Workflow - -- **Trigger**: On push to main branch and pull requests -- **Platforms**: Windows and Linux -- **Frameworks**: .NET 8.0, 9.0, and 10.0 -- **Steps**: - 1. Code quality checks (markdown lint, spell check, YAML lint) - 2. Build project for all target frameworks - 3. Run self-validation tests - 4. CodeQL security analysis - 5. SonarCloud quality analysis - 6. Generate documentation (requirements, trace matrix, build notes) - 7. Upload artifacts - -### Release Workflow - -- **Trigger**: On creating a new release tag -- **Steps**: - 1. Build and test on Windows and Linux - 2. Package as NuGet tool package - 3. Publish to NuGet.org - 4. Generate release documentation - -### Quality Gates - -The CI pipeline enforces several quality gates: - -- All tests must pass -- No markdown or spell check errors -- CodeQL security scan must pass -- SonarCloud quality gate must pass -- Requirements traceability must be maintained - ## Contributing Contributions are welcome! We appreciate your interest in improving BuildMark.