fix: harden gh issue escape hygiene
This commit is contained in:
@@ -284,6 +284,7 @@ export function runChecks(config: UniDeskConfig, options: CheckOptions = default
|
||||
fileItem("scripts/src/ci.ts"),
|
||||
fileItem("scripts/src/e2e.ts"),
|
||||
fileItem("scripts/code-queue-prompt-observation-test.ts"),
|
||||
fileItem("scripts/gh-cli-issue-guard-contract-test.ts"),
|
||||
fileItem("scripts/gh-cli-pr-contract-test.ts"),
|
||||
fileItem("scripts/code-queue-pr-preflight-example.ts"),
|
||||
fileItem("scripts/schedule-cli-contract-test.ts"),
|
||||
@@ -305,6 +306,7 @@ export function runChecks(config: UniDeskConfig, options: CheckOptions = default
|
||||
items.push(commandItem("code-queue:oa-publisher-degraded-visible", ["bun", "scripts/code-queue-liveness-diagnostics-test.ts", "--only", "code-queue:oa-publisher-degraded-visible"], 30_000));
|
||||
items.push(commandItem("baidu-netdisk:artifact-guard-contract", ["bun", "scripts/baidu-netdisk-artifact-guard-contract-test.ts"], 30_000));
|
||||
items.push(commandItem("schedule:cli-contract", ["bun", "scripts/schedule-cli-contract-test.ts"], 30_000));
|
||||
items.push(commandItem("gh:issue-guard-contract", ["bun", "scripts/gh-cli-issue-guard-contract-test.ts"], 30_000));
|
||||
items.push(commandItem("gh:pr-contract", ["bun", "scripts/gh-cli-pr-contract-test.ts"], 30_000));
|
||||
} else {
|
||||
items.push(skippedItem("typescript:scripts", "scripts TypeScript typecheck is opt-in", "--scripts-typecheck or --full"));
|
||||
@@ -314,6 +316,7 @@ export function runChecks(config: UniDeskConfig, options: CheckOptions = default
|
||||
items.push(skippedItem("code-queue:liveness-diagnostics-fixtures", "Code Queue liveness diagnostics fixtures are opt-in with script checks", "--scripts-typecheck or --full"));
|
||||
items.push(skippedItem("baidu-netdisk:artifact-guard-contract", "Baidu Netdisk artifact guard contract is opt-in with script checks", "--scripts-typecheck or --full"));
|
||||
items.push(skippedItem("schedule:cli-contract", "Schedule CLI contract is opt-in with script checks", "--scripts-typecheck or --full"));
|
||||
items.push(skippedItem("gh:issue-guard-contract", "GitHub issue CLI contract is opt-in with script checks", "--scripts-typecheck or --full"));
|
||||
items.push(skippedItem("gh:pr-contract", "GitHub PR CLI contract is opt-in with script checks", "--scripts-typecheck or --full"));
|
||||
}
|
||||
if (options.logs) {
|
||||
|
||||
+452
-33
@@ -18,6 +18,8 @@ const ISSUE_LIST_JSON_FIELDS = ["number", "title", "state", "url", "updatedAt",
|
||||
const PR_JSON_FIELDS = ["body", "title", "state", "number", "url", "author", "head", "base", "draft", "createdAt", "updatedAt"] as const;
|
||||
const ISSUE_LIST_STATES = ["open", "closed", "all"] as const;
|
||||
const BODY_UPDATE_MODES = ["replace", "append"] as const;
|
||||
const MIN_SAFE_BODY_SCAN_CHARS = MIN_SAFE_ISSUE_BODY_CHARS;
|
||||
const ISSUE_SCAN_MAX_FINDINGS = 60;
|
||||
const ISSUE_BODY_PROFILES = {
|
||||
"code-queue-board": {
|
||||
label: "Code Queue long board issue #20",
|
||||
@@ -38,6 +40,10 @@ type IssueListState = typeof ISSUE_LIST_STATES[number];
|
||||
type BodyUpdateMode = typeof BODY_UPDATE_MODES[number];
|
||||
type IssueBodyProfileName = keyof typeof ISSUE_BODY_PROFILES;
|
||||
type IssueBodyProfileOption = "auto" | IssueBodyProfileName;
|
||||
type EscapeFindingClassification = "suspected-pollution" | "explanatory-mention" | "risk";
|
||||
type EscapeFindingSeverity = "low" | "medium" | "high";
|
||||
type EscapeBodyKind = "issue-body" | "comment-body";
|
||||
type CleanupSuggestionAction = "rewrite-issue-body-with-body-file" | "review-comment-manually" | "review-body-length" | "no-cleanup-needed";
|
||||
|
||||
type GitHubDegradedReason =
|
||||
| "missing-binary"
|
||||
@@ -106,6 +112,69 @@ interface CommanderBriefSection {
|
||||
startLine: number;
|
||||
}
|
||||
|
||||
interface EscapePatternDefinition {
|
||||
kind: string;
|
||||
pattern: RegExp;
|
||||
description: string;
|
||||
}
|
||||
|
||||
interface EscapeMatchFinding {
|
||||
type: "issue" | "comment";
|
||||
bodyKind: EscapeBodyKind;
|
||||
bodyId: string;
|
||||
issueNumber: number;
|
||||
issueId: number;
|
||||
commentId?: number;
|
||||
url: string;
|
||||
kind: string;
|
||||
classification: EscapeFindingClassification;
|
||||
severity: EscapeFindingSeverity;
|
||||
reason: string;
|
||||
snippet: string;
|
||||
lineNumber: number;
|
||||
column: number;
|
||||
match: string;
|
||||
bodyChars: number | null;
|
||||
bodyTrimmedChars: number | null;
|
||||
cleanupPreview?: {
|
||||
before: string;
|
||||
after: string;
|
||||
};
|
||||
}
|
||||
|
||||
interface EscapeCleanupSuggestion {
|
||||
type: EscapeBodyKind;
|
||||
bodyId: string;
|
||||
issueNumber: number;
|
||||
issueId: number;
|
||||
commentId?: number;
|
||||
url: string;
|
||||
classification: EscapeFindingClassification;
|
||||
action: CleanupSuggestionAction;
|
||||
reason: string;
|
||||
findings: Array<Pick<EscapeMatchFinding, "kind" | "classification" | "severity" | "lineNumber" | "column" | "snippet" | "match">>;
|
||||
plannedCommand?: string;
|
||||
bodyFileHint?: string;
|
||||
preview?: {
|
||||
before: string;
|
||||
after: string;
|
||||
};
|
||||
}
|
||||
|
||||
interface EscapeScanErrorFinding {
|
||||
type: "comment-scan-error";
|
||||
bodyKind: EscapeBodyKind;
|
||||
bodyId: string;
|
||||
issueNumber: number;
|
||||
issueId: number;
|
||||
url: string;
|
||||
degradedReason: GitHubDegradedReason;
|
||||
runnerDisposition: RunnerDisposition;
|
||||
details: GitHubErrorPayload;
|
||||
}
|
||||
|
||||
type EscapeScanEntry = EscapeMatchFinding | EscapeScanErrorFinding;
|
||||
|
||||
interface GitHubCommandResult {
|
||||
ok: boolean;
|
||||
repo: string;
|
||||
@@ -788,6 +857,32 @@ function commanderBriefNotificationPlan(issueNumber: number, body: string, diff:
|
||||
};
|
||||
}
|
||||
|
||||
function writeBodyPlan(command: "issue create" | "issue comment create" | "pr create" | "pr comment", repo: string, body: string, bodySource: Record<string, unknown>, extra: Record<string, unknown> = {}): Record<string, unknown> {
|
||||
const isIssueWrite = command === "issue create" || command === "issue comment create";
|
||||
return {
|
||||
repo,
|
||||
bodySource,
|
||||
bodyPreview: preview(body),
|
||||
bodyPreviewLines: previewLines(body),
|
||||
...bodySafetySignals(body),
|
||||
request: {
|
||||
method: "POST",
|
||||
path: isIssueWrite
|
||||
? (command === "issue create" ? "/repos/{owner}/{repo}/issues" : "/repos/{owner}/{repo}/issues/{issue_number}/comments")
|
||||
: (command === "pr create" ? "/repos/{owner}/{repo}/pulls" : "/repos/{owner}/{repo}/issues/{issue_number}/comments"),
|
||||
body: {
|
||||
bodyChars: body.length,
|
||||
bodySource,
|
||||
},
|
||||
},
|
||||
validation: {
|
||||
source: String(bodySource.kind ?? "unknown"),
|
||||
rawText: "read from file bytes without shell interpolation",
|
||||
},
|
||||
...extra,
|
||||
};
|
||||
}
|
||||
|
||||
function runnerDisposition(reason: GitHubDegradedReason): RunnerDisposition {
|
||||
if (reason === "unsupported-command" || reason === "validation-failed" || reason === "issue-not-found" || reason === "pr-not-found") return "business-failed";
|
||||
return "infra-blocked";
|
||||
@@ -1523,11 +1618,22 @@ async function issueList(repo: string, token: string, state: IssueListState, lim
|
||||
async function issueCreate(repo: string, token: string, options: GitHubOptions): Promise<GitHubCommandResult> {
|
||||
if (options.title === undefined) throw new Error("issue create requires --title <title>");
|
||||
const body = readBodyFile(options.bodyFile, "issue create");
|
||||
if (options.dryRun) return { ok: true, command: "issue create", repo, dryRun: true, ...dryRunBody(repo, options.title, body) };
|
||||
const bodySource = { kind: "body-file", path: options.bodyFile ?? null };
|
||||
if (options.dryRun) {
|
||||
return {
|
||||
ok: true,
|
||||
command: "issue create",
|
||||
repo,
|
||||
dryRun: true,
|
||||
planned: true,
|
||||
title: options.title,
|
||||
...writeBodyPlan("issue create", repo, body, bodySource, { title: options.title }),
|
||||
};
|
||||
}
|
||||
const { owner, name } = repoParts(repo);
|
||||
const issue = await githubRequest<GitHubIssue>(token, "POST", `/repos/${owner}/${name}/issues`, { title: options.title, body });
|
||||
if (isGitHubError(issue)) return commandError("issue create", repo, issue);
|
||||
return { ok: true, command: "issue create", repo, issue: issueSummary(issue), rest: true };
|
||||
return { ok: true, command: "issue create", repo, issue: issueSummary(issue), bodySource, rest: true };
|
||||
}
|
||||
|
||||
async function issueEdit(repo: string, token: string, issueNumber: number, options: GitHubOptions, commandName = "issue edit"): Promise<GitHubCommandResult> {
|
||||
@@ -1679,11 +1785,22 @@ async function issueEdit(repo: string, token: string, issueNumber: number, optio
|
||||
|
||||
async function issueComment(repo: string, token: string, issueNumber: number, options: GitHubOptions): Promise<GitHubCommandResult> {
|
||||
const body = readBodyFile(options.bodyFile, "issue comment");
|
||||
if (options.dryRun) return { ok: true, command: "issue comment create", repo, dryRun: true, issueNumber, ...dryRunBody(repo, undefined, body) };
|
||||
const bodySource = { kind: "body-file", path: options.bodyFile ?? null };
|
||||
if (options.dryRun) {
|
||||
return {
|
||||
ok: true,
|
||||
command: "issue comment create",
|
||||
repo,
|
||||
dryRun: true,
|
||||
planned: true,
|
||||
issueNumber,
|
||||
...writeBodyPlan("issue comment create", repo, body, bodySource, { issueNumber }),
|
||||
};
|
||||
}
|
||||
const { owner, name } = repoParts(repo);
|
||||
const comment = await githubRequest<GitHubComment>(token, "POST", `/repos/${owner}/${name}/issues/${issueNumber}/comments`, { body });
|
||||
if (isGitHubError(comment)) return commandError("issue comment", repo, comment, { issueNumber });
|
||||
return { ok: true, command: "issue comment create", repo, comment: commentSummary(comment), rest: true };
|
||||
return { ok: true, command: "issue comment create", repo, issueNumber, comment: commentSummary(comment), bodySource, rest: true };
|
||||
}
|
||||
|
||||
async function commentDelete(repo: string, token: string, ownerKind: "issue" | "pr", commentId: number, dryRun: boolean): Promise<GitHubCommandResult> {
|
||||
@@ -1721,48 +1838,316 @@ async function issueState(repo: string, token: string, issueNumber: number, stat
|
||||
return { ok: true, command: state === "closed" ? "issue close" : "issue reopen", repo, issue: issueSummary(issue), rest: true };
|
||||
}
|
||||
|
||||
function escapeSnippet(text: string, index: number): string {
|
||||
const start = Math.max(0, index - 80);
|
||||
const end = Math.min(text.length, index + 120);
|
||||
function escapeSnippet(text: string, index: number, radius = 80): string {
|
||||
const start = Math.max(0, index - radius);
|
||||
const end = Math.min(text.length, index + radius + 40);
|
||||
return text.slice(start, end).replace(/\n/g, "\\n");
|
||||
}
|
||||
|
||||
function scanText(text: string, patterns: Array<{ kind: string; pattern: RegExp }>): Array<{ kind: string; snippet: string }> {
|
||||
const findings: Array<{ kind: string; snippet: string }> = [];
|
||||
function lineColumnAt(text: string, index: number): { lineNumber: number; column: number } {
|
||||
let lineNumber = 1;
|
||||
let column = 1;
|
||||
for (let cursor = 0; cursor < index && cursor < text.length; cursor += 1) {
|
||||
if (text[cursor] === "\n") {
|
||||
lineNumber += 1;
|
||||
column = 1;
|
||||
} else {
|
||||
column += 1;
|
||||
}
|
||||
}
|
||||
return { lineNumber, column };
|
||||
}
|
||||
|
||||
function lineTextAt(text: string, lineNumber: number): string {
|
||||
const lines = text.split(/\r?\n/);
|
||||
return lines[lineNumber - 1] ?? "";
|
||||
}
|
||||
|
||||
function isInsideFencedCodeBlock(text: string, index: number): boolean {
|
||||
const lines = text.slice(0, index).split(/\r?\n/);
|
||||
let openFence = false;
|
||||
for (const line of lines) {
|
||||
const trimmed = line.trimStart();
|
||||
if (trimmed.startsWith("```") || trimmed.startsWith("~~~")) openFence = !openFence;
|
||||
}
|
||||
return openFence;
|
||||
}
|
||||
|
||||
function isInsideInlineCode(text: string, index: number): boolean {
|
||||
const { lineNumber, column } = lineColumnAt(text, index);
|
||||
const line = lineTextAt(text, lineNumber);
|
||||
const before = line.slice(0, Math.max(0, column - 1));
|
||||
const after = line.slice(Math.max(0, column - 1));
|
||||
return (before.match(/`/g)?.length ?? 0) % 2 === 1 && (after.match(/`/g)?.length ?? 0) > 0;
|
||||
}
|
||||
|
||||
function isExplanatoryLiteralBackslashN(text: string, index: number): boolean {
|
||||
if (isInsideFencedCodeBlock(text, index) || isInsideInlineCode(text, index)) return true;
|
||||
const window = text.slice(Math.max(0, index - 90), Math.min(text.length, index + 90)).toLowerCase();
|
||||
return [
|
||||
"字面量",
|
||||
"说明",
|
||||
"示例",
|
||||
"举例",
|
||||
"提到",
|
||||
"引用",
|
||||
"文本",
|
||||
"字符串",
|
||||
"escape",
|
||||
"literal",
|
||||
"example",
|
||||
"mention",
|
||||
"quoted",
|
||||
"反斜杠",
|
||||
].some((keyword) => window.includes(keyword));
|
||||
}
|
||||
|
||||
function cleanupEscapedText(text: string): string {
|
||||
return text
|
||||
.replace(/\\r\\n/g, "\n")
|
||||
.replace(/\\n/g, "\n")
|
||||
.replace(/\\t/g, "\t")
|
||||
.replace(/\\x0a/gi, "\n")
|
||||
.replace(/\\x1b/gi, "")
|
||||
.replace(/\\u001b/gi, "")
|
||||
.replace(/\\033/g, "")
|
||||
.replace(/\\`/g, "`");
|
||||
}
|
||||
|
||||
function escapeBodyId(bodyKind: EscapeBodyKind, issueNumber: number, issueId: number, commentId?: number): string {
|
||||
return bodyKind === "issue-body"
|
||||
? `issue:${issueNumber}:body:${issueId}`
|
||||
: `issue:${issueNumber}:comment:${commentId ?? "unknown"}`;
|
||||
}
|
||||
|
||||
function textFindingPatterns(): EscapePatternDefinition[] {
|
||||
return [
|
||||
{
|
||||
kind: "literal-backslash-n",
|
||||
pattern: /\\n/g,
|
||||
description: "literal backslash-n",
|
||||
},
|
||||
{
|
||||
kind: "literal-backslash-t",
|
||||
pattern: /\\t/g,
|
||||
description: "literal backslash-t",
|
||||
},
|
||||
{
|
||||
kind: "escaped-backtick",
|
||||
pattern: /\\`/g,
|
||||
description: "escaped backtick",
|
||||
},
|
||||
{
|
||||
kind: "shell-escaped-newline",
|
||||
pattern: /\\r\\n|\\012|\\x0a/gi,
|
||||
description: "shell escaped newline",
|
||||
},
|
||||
{
|
||||
kind: "ansi-escape-literal",
|
||||
pattern: /\\x1b|\\u001b|\\033/gi,
|
||||
description: "ANSI escape literal",
|
||||
},
|
||||
];
|
||||
}
|
||||
|
||||
function bodyRiskFindings(kind: EscapeBodyKind, issueNumber: number, issueId: number, body: string | null, url: string, commentId?: number): EscapeMatchFinding[] {
|
||||
const bodyChars = body === null ? null : body.length;
|
||||
const bodyTrimmedChars = body === null ? null : body.trim().length;
|
||||
const location = {
|
||||
type: kind === "issue-body" ? "issue" as const : "comment" as const,
|
||||
bodyKind: kind,
|
||||
bodyId: escapeBodyId(kind, issueNumber, issueId, commentId),
|
||||
issueNumber,
|
||||
issueId,
|
||||
...(commentId === undefined ? {} : { commentId }),
|
||||
url,
|
||||
bodyChars,
|
||||
bodyTrimmedChars,
|
||||
};
|
||||
if (body === null) {
|
||||
return [{
|
||||
...location,
|
||||
kind: "null-body",
|
||||
classification: "risk",
|
||||
severity: "high",
|
||||
reason: "GitHub returned a null body",
|
||||
snippet: "",
|
||||
lineNumber: 0,
|
||||
column: 0,
|
||||
match: "",
|
||||
}];
|
||||
}
|
||||
const trimmed = body.trim();
|
||||
if (trimmed.toLowerCase() === "null") {
|
||||
return [{
|
||||
...location,
|
||||
kind: "literal-null-body",
|
||||
classification: "risk",
|
||||
severity: "high",
|
||||
reason: "body text is the literal string null",
|
||||
snippet: escapeSnippet(body, 0),
|
||||
lineNumber: 1,
|
||||
column: 1,
|
||||
match: "null",
|
||||
}];
|
||||
}
|
||||
if (trimmed.length === 0) {
|
||||
return [{
|
||||
...location,
|
||||
kind: "blank-body",
|
||||
classification: "risk",
|
||||
severity: "medium",
|
||||
reason: "body is blank after trimming",
|
||||
snippet: "",
|
||||
lineNumber: 0,
|
||||
column: 0,
|
||||
match: "",
|
||||
}];
|
||||
}
|
||||
if (trimmed.length < MIN_SAFE_BODY_SCAN_CHARS) {
|
||||
return [{
|
||||
...location,
|
||||
kind: "short-body",
|
||||
classification: "risk",
|
||||
severity: "medium",
|
||||
reason: `body is shorter than the safe guard threshold (${MIN_SAFE_BODY_SCAN_CHARS} chars)`,
|
||||
snippet: escapeSnippet(body, 0),
|
||||
lineNumber: 1,
|
||||
column: 1,
|
||||
match: "",
|
||||
}];
|
||||
}
|
||||
return [];
|
||||
}
|
||||
|
||||
function scanText(text: string, patterns: EscapePatternDefinition[], issueNumber: number, issueId: number, bodyKind: EscapeBodyKind, url: string, commentId?: number): EscapeMatchFinding[] {
|
||||
const findings: EscapeMatchFinding[] = [];
|
||||
const counts = new Map<string, number>();
|
||||
for (const item of patterns) {
|
||||
item.pattern.lastIndex = 0;
|
||||
const matches = text.match(item.pattern);
|
||||
counts.set(item.kind, matches === null ? 0 : matches.length);
|
||||
}
|
||||
for (const item of patterns) {
|
||||
item.pattern.lastIndex = 0;
|
||||
let match = item.pattern.exec(text);
|
||||
while (match !== null) {
|
||||
findings.push({ kind: item.kind, snippet: escapeSnippet(text, match.index) });
|
||||
if (findings.length >= 5) return findings;
|
||||
const { lineNumber, column } = lineColumnAt(text, match.index);
|
||||
const explanatory = item.kind === "literal-backslash-n" && counts.get(item.kind) === 1 && isExplanatoryLiteralBackslashN(text, match.index);
|
||||
const classification: EscapeFindingClassification = explanatory ? "explanatory-mention" : "suspected-pollution";
|
||||
const severity: EscapeFindingSeverity = explanatory ? "low" : item.kind === "ansi-escape-literal" ? "high" : "medium";
|
||||
findings.push({
|
||||
type: bodyKind === "issue-body" ? "issue" : "comment",
|
||||
bodyKind,
|
||||
bodyId: escapeBodyId(bodyKind, issueNumber, issueId, commentId),
|
||||
issueNumber,
|
||||
issueId,
|
||||
...(commentId === undefined ? {} : { commentId }),
|
||||
url,
|
||||
kind: item.kind,
|
||||
classification,
|
||||
severity,
|
||||
reason: explanatory
|
||||
? "literal backslash-n appears in explanatory context"
|
||||
: `matched ${item.description}`,
|
||||
snippet: escapeSnippet(text, match.index),
|
||||
lineNumber,
|
||||
column,
|
||||
match: match[0],
|
||||
bodyChars: text.length,
|
||||
bodyTrimmedChars: text.trim().length,
|
||||
...(classification === "suspected-pollution"
|
||||
? { cleanupPreview: { before: escapeSnippet(text, match.index), after: escapeSnippet(cleanupEscapedText(text), match.index) } }
|
||||
: {}),
|
||||
});
|
||||
if (findings.length >= ISSUE_SCAN_MAX_FINDINGS) return findings;
|
||||
match = item.pattern.exec(text);
|
||||
}
|
||||
}
|
||||
return findings;
|
||||
}
|
||||
|
||||
async function issueScanEscape(repo: string, token: string, limit: number): Promise<GitHubCommandResult> {
|
||||
function summarizeCleanupSuggestion(findings: EscapeScanEntry[]): EscapeCleanupSuggestion[] {
|
||||
const groups = new Map<string, EscapeMatchFinding[]>();
|
||||
for (const finding of findings) {
|
||||
if (finding.type === "comment-scan-error") continue;
|
||||
if (finding.classification !== "suspected-pollution" && finding.kind !== "short-body" && finding.kind !== "null-body" && finding.kind !== "blank-body" && finding.kind !== "literal-null-body") continue;
|
||||
const locatorKey = `${finding.bodyKind}:${finding.issueNumber}:${finding.issueId}:${finding.commentId ?? ""}`;
|
||||
const list = groups.get(locatorKey);
|
||||
if (list === undefined) groups.set(locatorKey, [finding]);
|
||||
else list.push(finding);
|
||||
}
|
||||
|
||||
const suggestions: EscapeCleanupSuggestion[] = [];
|
||||
for (const group of groups.values()) {
|
||||
const first = group[0];
|
||||
const suspected = group.some((finding) => finding.classification === "suspected-pollution");
|
||||
const bodyRisk = group.some((finding) => finding.classification === "risk");
|
||||
suggestions.push({
|
||||
type: first.bodyKind,
|
||||
bodyId: first.bodyId,
|
||||
issueNumber: first.issueNumber,
|
||||
issueId: first.issueId,
|
||||
...(first.commentId === undefined ? {} : { commentId: first.commentId }),
|
||||
url: first.url,
|
||||
classification: suspected ? "suspected-pollution" : "risk",
|
||||
action: first.bodyKind === "issue-body"
|
||||
? (suspected ? "rewrite-issue-body-with-body-file" : "review-body-length")
|
||||
: "review-comment-manually",
|
||||
reason: suspected
|
||||
? "suspected shell escape pollution should be rewritten from a body file"
|
||||
: bodyRisk
|
||||
? "body length/null risk should be reviewed before any write"
|
||||
: "no cleanup needed",
|
||||
findings: group.map((finding) => ({
|
||||
kind: finding.kind,
|
||||
classification: finding.classification,
|
||||
severity: finding.severity,
|
||||
lineNumber: finding.lineNumber,
|
||||
column: finding.column,
|
||||
snippet: finding.snippet,
|
||||
match: finding.match,
|
||||
})),
|
||||
...(first.bodyKind === "issue-body"
|
||||
? {
|
||||
plannedCommand: `bun scripts/cli.ts gh issue update ${first.issueNumber} --mode replace --body-file <file> --dry-run`,
|
||||
bodyFileHint: "write a cleaned Markdown body to a file, then pass it with --body-file; use a quoted heredoc to stage the file instead of inline shell text",
|
||||
preview: {
|
||||
before: first.cleanupPreview?.before ?? first.snippet,
|
||||
after: first.cleanupPreview?.after ?? first.snippet,
|
||||
},
|
||||
}
|
||||
: {
|
||||
preview: {
|
||||
before: first.cleanupPreview?.before ?? first.snippet,
|
||||
after: first.cleanupPreview?.after ?? first.snippet,
|
||||
},
|
||||
}),
|
||||
});
|
||||
}
|
||||
return suggestions;
|
||||
}
|
||||
|
||||
async function issueScanEscape(repo: string, token: string, limit: number, dryRun: boolean, commandName = "issue scan-escape"): Promise<GitHubCommandResult> {
|
||||
const { owner, name } = repoParts(repo);
|
||||
const issues = await githubRequest<GitHubIssue[]>(token, "GET", `/repos/${owner}/${name}/issues?state=all&per_page=${limit}`);
|
||||
if (isGitHubError(issues)) return commandError("issue scan-escape", repo, issues);
|
||||
if (isGitHubError(issues)) return commandError(commandName, repo, issues);
|
||||
const issueOnly = issues.filter((issue) => issue.pull_request === undefined).slice(0, limit);
|
||||
|
||||
const patterns = [
|
||||
{ kind: "literal-backslash-n", pattern: /\\n/g },
|
||||
{ kind: "literal-backslash-t", pattern: /\\t/g },
|
||||
{ kind: "shell-escaped-newline", pattern: /\\r\\n|\\012|\\x0a/g },
|
||||
{ kind: "ansi-escape-literal", pattern: /\\u001b|\\033/g },
|
||||
];
|
||||
|
||||
const findings: Array<Record<string, unknown>> = [];
|
||||
for (const issue of issues) {
|
||||
for (const finding of scanText(issue.body ?? "", patterns)) {
|
||||
findings.push({ type: "issue", issueNumber: issue.number, id: issue.id, url: issue.html_url, ...finding });
|
||||
}
|
||||
const patterns = textFindingPatterns();
|
||||
const findings: EscapeScanEntry[] = [];
|
||||
let scannedComments = 0;
|
||||
for (const issue of issueOnly) {
|
||||
findings.push(...bodyRiskFindings("issue-body", issue.number, issue.id, issue.body, issue.html_url));
|
||||
findings.push(...scanText(issue.body ?? "", patterns, issue.number, issue.id, "issue-body", issue.html_url));
|
||||
const comments = await listIssueComments(token, repo, issue.number);
|
||||
if (isGitHubError(comments)) {
|
||||
findings.push({
|
||||
type: "comment-scan-error",
|
||||
bodyKind: "comment-body",
|
||||
bodyId: escapeBodyId("comment-body", issue.number, issue.id),
|
||||
issueNumber: issue.number,
|
||||
issueId: issue.id,
|
||||
url: issue.html_url,
|
||||
degradedReason: comments.degradedReason,
|
||||
runnerDisposition: comments.runnerDisposition ?? runnerDisposition(comments.degradedReason),
|
||||
@@ -1771,18 +2156,42 @@ async function issueScanEscape(repo: string, token: string, limit: number): Prom
|
||||
continue;
|
||||
}
|
||||
for (const comment of comments) {
|
||||
for (const finding of scanText(comment.body ?? "", patterns)) {
|
||||
findings.push({ type: "comment", issueNumber: issue.number, id: comment.id, url: comment.html_url, ...finding });
|
||||
}
|
||||
scannedComments += 1;
|
||||
findings.push(...bodyRiskFindings("comment-body", issue.number, issue.id, comment.body, comment.html_url, comment.id));
|
||||
findings.push(...scanText(comment.body ?? "", patterns, issue.number, issue.id, "comment-body", comment.html_url, comment.id));
|
||||
}
|
||||
}
|
||||
const cleanupSuggestions = summarizeCleanupSuggestion(findings);
|
||||
const summary = findings.reduce((acc, finding) => {
|
||||
if (finding.type === "comment-scan-error") {
|
||||
acc.commentScanErrors += 1;
|
||||
return acc;
|
||||
}
|
||||
if (finding.classification === "suspected-pollution") acc.suspectedPollution += 1;
|
||||
if (finding.classification === "explanatory-mention") acc.explanatoryMention += 1;
|
||||
if (finding.classification === "risk") acc.risk += 1;
|
||||
if (finding.kind === "null-body" || finding.kind === "literal-null-body" || finding.kind === "blank-body" || finding.kind === "short-body") acc.bodyRisks += 1;
|
||||
return acc;
|
||||
}, { suspectedPollution: 0, explanatoryMention: 0, risk: 0, bodyRisks: 0, commentScanErrors: 0 });
|
||||
return {
|
||||
ok: true,
|
||||
command: "issue scan-escape",
|
||||
command: commandName,
|
||||
repo,
|
||||
scannedIssues: issues.length,
|
||||
dryRun,
|
||||
planned: true,
|
||||
scannedIssues: issueOnly.length,
|
||||
rawIssues: issues.length,
|
||||
scannedComments,
|
||||
findings,
|
||||
note: "Read-only scan; no issue or comment content was modified.",
|
||||
cleanupSuggestions,
|
||||
summary: {
|
||||
findings: findings.length,
|
||||
suggestions: cleanupSuggestions.length,
|
||||
...summary,
|
||||
},
|
||||
note: dryRun
|
||||
? "Dry-run cleanup planning only; no issue or comment content was modified."
|
||||
: "Read-only scan; no issue or comment content was modified.",
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1906,7 +2315,8 @@ export function ghHelp(): unknown {
|
||||
"bun scripts/cli.ts gh issue comment delete <commentId> [--repo owner/name] [--dry-run]",
|
||||
"bun scripts/cli.ts gh issue close|reopen <number> [--repo owner/name] [--dry-run]",
|
||||
"bun scripts/cli.ts gh issue delete <number> [unsupported: use close]",
|
||||
"bun scripts/cli.ts gh issue scan-escape [--repo owner/name] [--limit N]",
|
||||
"bun scripts/cli.ts gh issue scan-escape [--repo owner/name] [--limit N] [--dry-run]",
|
||||
"bun scripts/cli.ts gh issue cleanup-plan [--repo owner/name] [--limit N] [--dry-run]",
|
||||
"bun scripts/cli.ts gh pr list [--repo owner/name] [--limit N] [--json number,title,state,url,updatedAt,createdAt,author,head,base,draft]",
|
||||
"bun scripts/cli.ts gh pr view <number> [--repo owner/name] [--json body,title,state,head,base,draft]",
|
||||
"bun scripts/cli.ts gh pr create --title <title> --body-file <file>|--body <text> --base <branch> --head <branch> [--repo owner/name] [--draft] [--dry-run]",
|
||||
@@ -1928,6 +2338,9 @@ export function ghHelp(): unknown {
|
||||
"issue update --body-file refuses literal null, blank, and too-short bodies by default. Use --allow-short-body only for intentional short writes; #20 and #24 body-only profiles require their stable headings.",
|
||||
"issue update dry-run reports old/new body length slots, body SHA, required heading checks, literal \\n detection, and shell-pollution signals. Non-dry-run can use --expect-updated-at or --expect-body-sha for stale-cache protection.",
|
||||
"Issue body stdin is intentionally unsupported in this CLI; write generated Markdown to a file and pass --body-file.",
|
||||
"When staging a body file from a shell, use a quoted heredoc such as cat <<'EOF' > /tmp/body.md so backticks and backslashes are not expanded before --body-file reads the file.",
|
||||
"For JSON request bodies in other CLI namespaces, prefer --body-file or --body-stdin over long inline shell arguments; GitHub Markdown writes intentionally use --body-file only.",
|
||||
"issue scan-escape classifies literal \\n findings as suspected-pollution, explanatory-mention, or risk, and emits cleanupSuggestions with body/comment ids plus diff-like previews. cleanup-plan is an alias that remains dry-run/read-only.",
|
||||
"issue edit 24 --notify-claudeqq-brief-diff reads the old issue body, PATCHes the new body, and sends only newly added '## 更新 ... 北京时间' sections to ClaudeQQ; ClaudeQQ failure does not roll back GitHub.",
|
||||
"Commander brief ClaudeQQ defaults to private target 645275593 through backend-core /api/microservices/claudeqq/proxy; UNIDESK_COMMANDER_BRIEF_CLAUDEQQ_* env vars can override target, base URL, timeout, and enabled state.",
|
||||
"comment delete is supported because GitHub supports deleting issue comments; issue/pr hard delete is unsupported and close is the lifecycle alternative.",
|
||||
@@ -1995,6 +2408,13 @@ export async function runGhCommand(args: string[]): Promise<GitHubCommandResult
|
||||
if (missing !== null || token === null) return missing ?? authRequired(options.repo, "issue comment create", { present: false, source: null, ghFallbackAttempted: true });
|
||||
return issueComment(options.repo, token, issueNumber, options);
|
||||
}
|
||||
if (sub === "scan-escape" || sub === "cleanup-plan") {
|
||||
const { token, probe } = resolveToken(true);
|
||||
const commandName = sub === "cleanup-plan" ? "issue cleanup-plan" : "issue scan-escape";
|
||||
const missing = authRequired(options.repo, commandName, probe);
|
||||
if (missing !== null || token === null) return missing ?? authRequired(options.repo, commandName, { present: false, source: null, ghFallbackAttempted: true });
|
||||
return issueScanEscape(options.repo, token, options.limit, options.dryRun || sub === "cleanup-plan", commandName);
|
||||
}
|
||||
if (options.dryRun) {
|
||||
if (sub === "create") return issueCreate(options.repo, "", options);
|
||||
if (sub === "edit") {
|
||||
@@ -2024,7 +2444,6 @@ export async function runGhCommand(args: string[]): Promise<GitHubCommandResult
|
||||
if (sub === "close") return issueState(options.repo, token, parseNumber(third, "issue close"), "closed", options.dryRun);
|
||||
if (sub === "reopen") return issueState(options.repo, token, parseNumber(third, "issue reopen"), "open", options.dryRun);
|
||||
if (sub === "delete") return unsupportedCommand("issue delete", options.repo, "GitHub REST does not support hard-deleting issues; use gh issue close for lifecycle deletion semantics.");
|
||||
if (sub === "scan-escape") return issueScanEscape(options.repo, token, options.limit);
|
||||
}
|
||||
|
||||
if (top === "pr") {
|
||||
|
||||
Reference in New Issue
Block a user