custom engine support in includes#475
Merged
pelikhan merged 7 commits intogithub:mainfrom Sep 6, 2025
githubnext:custom-engine-testing
Merged
custom engine support in includes#475pelikhan merged 7 commits intogithub:mainfrom githubnext:custom-engine-testing
pelikhan merged 7 commits intogithub:mainfrom
githubnext:custom-engine-testing
Conversation
…-inference (#85) * Initial plan * Create AI Inference with GitHub Models agentic workflow - Add ai-inference-github-models.md workflow using actions/ai-inference - Implement multi-model support with gpt-4o-mini as default - Add context-aware prompts for issues and pull requests - Include safe outputs for automated comment posting - Create usage examples and documentation - Successfully compile and test the workflow Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Address PR review feedback: move docs, fix permissions, use prompt-file, remove PR support Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Remove documentation file and add comprehensive comments to workflow file Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Address PR feedback: simplify workflow with single issue input and fixed model Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Address PR feedback: rename input to issue_number, add GitHub expression, remove documentation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Handle both issue events and workflow_dispatch inputs in AI inference prompt - Added dynamic prompt creation step that determines issue number based on event type - Uses github.event.issue.number for automatic issue events - Uses github.event.inputs.issue_number for manual workflow_dispatch events - Addresses comment requesting OR condition for both input sources Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Revert previous commit as requested Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>
…output formatting
…87) * Initial plan * Sort with section keys for stable output in engine step conversion Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
github-actions bot
added a commit
that referenced
this pull request
Jan 7, 2026
**Alert Numbers**: #476, #475 **Severity**: Medium **Rule**: G304 - Potential file inclusion via variable ## Vulnerability Description Two instances of potential path traversal vulnerabilities were identified in `pkg/cli/logs_metrics.go` at lines 250 and 373. The `os.ReadFile()` function was called with a variable path (`resolvedAgentOutputFile`) that could potentially be manipulated to read files outside the intended directory, without proper path sanitization. ## Fix Applied Added path sanitization using `filepath.Clean()` before reading files in both the `extractMissingToolsFromRun()` and `extractNoopsFromRun()` functions: 1. Line 250 (Alert #476): Added `cleanPath := filepath.Clean(resolvedAgentOutputFile)` before the `os.ReadFile()` call in `extractMissingToolsFromRun()` 2. Line 373 (Alert #475): Added `cleanPath := filepath.Clean(resolvedAgentOutputFile)` before the `os.ReadFile()` call in `extractNoopsFromRun()` The sanitized path is now used consistently in all subsequent operations including file reads and error messages. ## Security Best Practices - **Path Normalization**: `filepath.Clean()` normalizes the path by removing redundant separators, resolving `.` and `..` elements, preventing path traversal attacks - **Defense in Depth**: While the paths are constructed from trusted sources, this adds an additional layer of security - **Consistent Usage**: Updated all references to use the sanitized path variable ## Testing Considerations - Verify that log metrics extraction continues to work correctly for workflow runs - Test with various directory structures and path formats - Ensure error messages display the correct sanitized paths
This was referenced Jan 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow engine configuration in includes files.