fix: validate scene file extension#988
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a validation check in sceneFetcher to ensure the requested sceneUrl ends with .txt. The review feedback recommends rejecting the Promise with an Error object instead of a string literal to preserve stack traces, and suggests stripping query parameters or hashes from the URL before validation to prevent false negatives.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if (!sceneUrl.endsWith('.txt')) { | ||
| reject('Scene file must be a txt file'); | ||
| return; | ||
| } |
There was a problem hiding this comment.
在 JavaScript/TypeScript 中,使用字符串字面量(如 reject('Scene file must be a txt file'))来 reject 一个 Promise 是一种反模式。建议使用 Error 对象(如 reject(new Error('...'))),这样可以保留堆栈信息,便于调试和统一错误处理。\n\n此外,直接使用 sceneUrl.endsWith('.txt') 进行校验可能会在 URL 包含查询参数或哈希值(例如用于清除缓存的 scene.txt?v=1.0)时失效。更安全的方法是在校验后缀前先剥离查询参数和哈希值,并显式防御空字符串或无效的 URL。
if (!sceneUrl) {\n reject(new Error('Scene URL is empty'));\n return;\n }\n const pathname = sceneUrl.split('?')[0].split('#')[0];\n if (!pathname.endsWith('.txt')) {\n reject(new Error('Scene file must be a txt file'));\n return;\n }1 participant
fixes: #980
获取场景的函数没有对传入的sceneUrl做校验,导致传入空字符串时,请求的是自身的url地址即获取到了当前的html代码。