Skip to content

Address review feedback: sanitize conversation history and simplify state management#151

Merged
DimaBir merged 10 commits into
dimabir/github_bot_respond_wikifrom
copilot/sub-pr-144
Feb 11, 2026
Merged

Address review feedback: sanitize conversation history and simplify state management#151
DimaBir merged 10 commits into
dimabir/github_bot_respond_wikifrom
copilot/sub-pr-144

Conversation

Copilot AI commented Feb 11, 2026

Copy link
Copy Markdown
Contributor

Addresses unresolved review comments from PR #144 regarding security vulnerabilities in conversation history handling and redundant validation logic.

Security Fixes

  • Sanitize all user input before AI processing: Added inline sanitization function that processes issue body, title, and all comments before adding to conversation history. Removes control characters, normalizes line endings, collapses excessive whitespace.
  • Filter conversation history by author: Only include comments from issue author and bot, excluding third-party users to prevent information leakage and conversation confusion.
// Sanitization applied to all user content
const sanitizeContent = (content, maxLength = 10000) => {
  if (content == null || content === '') return '';
  const str = String(content);
  return str
    .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '') // Control chars
    .replace(/\r\n/g, '\n').replace(/\r/g, '\n')      // Line endings
    .replace(/[^\S\r\n]+/g, ' ')                      // Whitespace
    .replace(/\n{3,}/g, '\n\n')                       // Collapse newlines
    .trim();
};

State Management Cleanup

  • Remove 'closed' from terminal states: Closed issues already filtered by workflow trigger (github.event.issue.state == 'open'), making this check redundant.
  • Simplify state determination logic: Removed complex conditional branches in favor of defensive initialization with clear precedence rules.
  • Handle empty SYSTEM_PROMPT: Added explicit check to prevent malformed prompts when SYSTEM_PROMPT is not configured.

Validation Consolidation

  • Remove redundant bot response count check from security.js: Already validated in conversation-state step, eliminating duplicate API calls and potential sync issues.
  • Remove unused sanitized_content output: Sanitization now happens inline during conversation history construction.

All changes passed CodeQL security scanning with 0 alerts.


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 9 commits February 11, 2026 07:49
…on improvements

Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
…state handling

Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
…ding normalization

Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Co-authored-by: DimaBir <28827735+DimaBir@users.noreply.github.com>
Copilot AI changed the title [WIP] Update issue assistant workflow with rate limits and state management Address review feedback: sanitize conversation history and simplify state management Feb 11, 2026
Copilot AI requested a review from DimaBir February 11, 2026 07:59
@DimaBir DimaBir marked this pull request as ready for review February 11, 2026 07:59
@DimaBir DimaBir merged commit c9a7f1a into dimabir/github_bot_respond_wiki Feb 11, 2026
1 check passed
@DimaBir DimaBir deleted the copilot/sub-pr-144 branch February 11, 2026 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants