fix(miner): write acceptance criteria safely#5322
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
gittensory-ui | 4c976dd | Commit Preview URL Branch Preview URL |
Jul 12 2026, 01:58 PM |
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5322 +/- ##
=======================================
Coverage 94.36% 94.36%
=======================================
Files 474 474
Lines 40096 40096
Branches 14620 14620
=======================================
Hits 37836 37836
Misses 1585 1585
Partials 675 675
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-12 21:15:27 UTC
⏸️ Suggested Action - Manual Review Concerns raised — review before merging
📋 Copy for AI agents — paste into your coding agent
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Motivation
writeFileSyncon a fixed path inside the prepared worktree and would follow symlinks, allowing a malicious repository to cause arbitrary writable files to be clobbered outside the worktree.Description
writeFileSync(join(workingDirectory, ACCEPTANCE_CRITERIA_FILENAME), ...)with a safe sequence that resolves the worktree root viarealpathSync, composes the output path, verifies containment, and creates the file withopenSync(... O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW, 0o600)before writing via the file descriptor and closing it (addedcloseSync,openSync,realpathSync, andfsConstantsimports) inpackages/gittensory-miner/lib/coding-task-spec.js.assertContainedPathcheck to ensure the computed output path remains inside the resolved worktree and throw if not.test/unit/miner-coding-task-spec.test.tsthat verify a pre-existingacceptance-criteria.jsonsymlink is not followed (outside file not clobbered) and that an existing file at the path is not overwritten, and update test imports accordingly.Testing
git diff --checkand it passed.npm run build:minerand the build succeeded.npx vitest run test/unit/miner-coding-task-spec.test.tsand all tests in that file passed.npm audit --audit-level=moderatecould not be completed in this environment (registry returned 403) and is noted as a non-blocking environment limitation.Codex Task