Skip to content

test: parity regression guard for alias-branch template delimiter neutralization#31712

Merged
pelikhan merged 4 commits into
mainfrom
copilot/fix-neutralize-template-delimiters
May 12, 2026
Merged

test: parity regression guard for alias-branch template delimiter neutralization#31712
pelikhan merged 4 commits into
mainfrom
copilot/fix-neutralize-template-delimiters

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 12, 2026
edited
Loading

Bug Fix

What was the bug?

In v0.68.3, sanitizeContent(text, { allowedAliases: [...] }) — the only path taken during normal issue/PR-triggered workflows — never called neutralizeTemplateDelimiters. Template syntax ({{, ${, {%, <%= , {#) passed through verbatim into AI-generated safe-output issue bodies and comments. sanitizeContentCore applied the escaping correctly; the alias branch did not.

The production fix (importing and calling neutralizeTemplateDelimiters in sanitize_content.cjs) is already present at HEAD. This PR adds the regression test.

How did you fix it?

Adds a parity describe block to sanitize_content.test.cjs that imports sanitizeContentCore directly and asserts, for each of the five template-syntax patterns plus a combined case, that the alias branch produces bit-for-bit identical output:

// For each of: {{ }}, ${ }, {% %}, <%=, {# #}, and all five combined
const aliasResult = sanitizeContent(input, { allowedAliases: ["nobody"] });
const coreResult = sanitizeContentCore(input);
expect(aliasResult).toBe(coreResult);

If the alias branch ever drops neutralizeTemplateDelimiters again, its output will contain raw template syntax while the core output will have it escaped — the tests fail immediately, exposing the regression before it ships.

Testing

6 new parity tests added; all 400 tests pass.

Copilot AI linked an issue May 12, 2026 that may be closed by this pull request
neutralizeTemplateDelimiters absent from sanitize_content.cjs alias branch — template syntax passes through safe-output sani [Content truncated due to length] #31711
Closed
Copilot AI and others added 2 commits May 12, 2026 15:09
@szabta89
chore: initial state — fix already present, adding parity regression …
5ab8a72 
…tests

Co-authored-by: szabta89 <1330202+szabta89@users.noreply.github.com>
@szabta89
test: add parity regression tests for alias-branch template delimiter…
bf12b73 
… neutralization

Co-authored-by: szabta89 <1330202+szabta89@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix absence of neutralizeTemplateDelimiters in sanitize_content.cjs test: parity regression guard for alias-branch template delimiter neutralization May 12, 2026
Copilot AI requested a review from szabta89 May 12, 2026 15:13
@pelikhan pelikhan marked this pull request as ready for review May 12, 2026 15:42
Copilot AI review requested due to automatic review settings May 12, 2026 15:42
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a regression guard ensuring the sanitizeContent() allowed-aliases branch stays behaviorally identical to sanitizeContentCore() with respect to template-delimiter neutralization, preventing a recurrence of the v0.68.3 parity gap where template syntax could pass through unescaped.

Changes:

  • Adds parity tests comparing sanitizeContent(input, { allowedAliases: [...] }) vs sanitizeContentCore(input) across five template syntaxes plus a combined case.
  • Updates two Dependabot workflow lock files to resolve the Docker socket path from DOCKER_HOST when constructing the MCP gateway docker run command.
Show a summary per file
File Description
actions/setup/js/sanitize_content.test.cjs Adds parity regression tests to ensure alias-branch output matches sanitizeContentCore for template syntax escaping.
.github/workflows/dependabot-worker.lock.yml Updates MCP gateway Docker socket mounting logic to respect DOCKER_HOST when present.
.github/workflows/dependabot-campaign.lock.yml Same Docker socket resolution update as worker workflow lock file.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 3

Comment thread actions/setup/js/sanitize_content.test.cjs
Comment on lines +2646 to +2651
let sanitizeContentCore;

beforeEach(async () => {
const coreModule = await import("./sanitize_content_core.cjs");
sanitizeContentCore = coreModule.sanitizeContentCore;
});
Comment thread .github/workflows/dependabot-worker.lock.yml Outdated
Comment on lines +783 to +789
case "${DOCKER_HOST:-}" in
unix://* ) DOCKER_SOCK_PATH="${DOCKER_HOST#unix://}" ;;
/* ) DOCKER_SOCK_PATH="$DOCKER_HOST" ;;
* ) DOCKER_SOCK_PATH=/var/run/docker.sock ;;
esac
DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0')
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.6'
Comment thread .github/workflows/dependabot-campaign.lock.yml Outdated
Comment on lines +674 to +680
case "${DOCKER_HOST:-}" in
unix://* ) DOCKER_SOCK_PATH="${DOCKER_HOST#unix://}" ;;
/* ) DOCKER_SOCK_PATH="$DOCKER_HOST" ;;
* ) DOCKER_SOCK_PATH=/var/run/docker.sock ;;
esac
DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0')
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.6'
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented May 12, 2026

@copilot review all comments

@pelikhan
test: use beforeAll for core module import in parity suite; revert un…
fe41716 
…related lock file changes

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 12, 2026

@copilot review all comments

Addressed all three reviewer comments:

  1. beforeEachbeforeAll: The parity suite now imports sanitize_content_core.cjs once via beforeAll instead of re-importing on every test.

2 & 3. Unrelated lock file changes: The Docker socket path changes to .github/workflows/dependabot-worker.lock.yml and .github/workflows/dependabot-campaign.lock.yml were included in an earlier commit but are unrelated to this PR. They have been reverted to match the base branch.

Copilot AI requested a review from pelikhan May 12, 2026 15:58
@pelikhan pelikhan merged commit 4f4cc8d into main May 12, 2026
@pelikhan pelikhan deleted the copilot/fix-neutralize-template-delimiters branch May 12, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan pelikhan approved these changes

@szabta89 szabta89 Awaiting requested review from szabta89

Assignees

@szabta89 szabta89

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

4 participants

@pelikhan @szabta89