fix(ci): url-encode file paths in react-doctor comment links#2526
Open
pauldambra wants to merge 1 commit into
Open
fix(ci): url-encode file paths in react-doctor comment links#2526pauldambra wants to merge 1 commit into
pauldambra wants to merge 1 commit into
Conversation
Follow-up to the markdown hardening in #2525. The link display text was sanitized but the URL target still interpolated the raw file path, so a path containing an unbalanced `)` (e.g. a React file with parens in its name) could close the GFM link early and leak the remainder as visible text -- defeating the spoofing protection. Percent-encode each path segment (including parens and spaces) in the link target. Generated-By: PostHog Code Task-Id: ac09988a-6c71-4856-87d6-32b9e44b7684
|
React Doctor found no issues in the changed files. 🎉 Reviewed by React Doctor for commit |
Contributor
|
Reviews (1): Last reviewed commit: "fix(ci): url-encode file paths in react-..." | Re-trigger Greptile |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Follow-up to the markdown hardening in #2525 (merged before this could be folded in). Two PR review bots (chatgpt-codex, greptile) correctly flagged a gap: the comment renderer's
fileLinksanitizes the link display text viainline(file), but the link URL target still interpolated the rawfilepath. A path containing an unbalanced)— reasonably common in React codebases (e.g.Button(deprecated).tsx, or worseweird)name.tsx) — closes the GFM link early and leaks the remainder as visible text, which defeats the spoofing protection the hardening added.Changes
react-doctor-comment.mjs: percent-encode each path segment in the markdown link target (encodedPath), including parens and spaces (encodeURIComponentleaves(/)literal, so they're encoded explicitly to%28/%29). Slashes are preserved as path separators. Display text is unchanged (still the readable, backtick/angle-bracket-stripped path).How did you test this?
I'm an agent. Ran the renderer against a synthetic report with a path containing an unbalanced
)and a space (src/weird)name (x).tsx) and confirmed the URL renders as.../src/weird%29name%20%28x%29.tsx#L7(link intact, nothing leaks), and ran Biome (biome ci) on the file.Publish to changelog?
no
Created with PostHog Code