cherry pick 0.37 fixes (#4265)

connor4312 · web-flow · commit 9ca4508005aa · 2026-03-06T15:40:23.000-08:00
* cherry pick 0.37 fixes

* fix merge conflict in test imports
diff --git a/src/extension/tools/common/toolUtils.ts b/src/extension/tools/common/toolUtils.ts
@@ -24,3 +24,39 @@ export function formatUriForFileWidget(uriOrLocation: URI | Location, metadata?:
 
 	return `[](${uri.toString()}${rangePart})`;
 }
+
+/**
+ * Encodes the URL hostname using punycode for security purposes.
+ * This helps prevent homograph attacks by converting internationalized domain names to ASCII.
+ * @param url The URL to encode
+ * @returns An object containing the encoded URL and whether it was different from the original
+ */
+export function encodeUrlHostname(url: string): { encoded: string; isDifferent: boolean } {
+	if (!URL.canParse(url)) {
+		return { encoded: url, isDifferent: false };
+	}
+
+	// The URL constructor automatically encodes Unicode hostnames to punycode
+	const urlObj = new URL(url);
+	let encodedUrl = urlObj.href;
+
+	// URL constructor adds trailing slash or slash before query/hash when original doesn't have path
+	// e.g., "https://example.com?foo" becomes "https://example.com/?foo"
+	const hasNoPath = !url.includes('/', url.indexOf('://') + 3);
+	if (hasNoPath) {
+		// Remove slash before query or hash that was added by URL constructor
+		encodedUrl = encodedUrl.replace(/\/(\?|#)/, '$1');
+		// Remove trailing slash if added at end
+		if (encodedUrl.endsWith('/') && !url.endsWith('/')) {
+			encodedUrl = encodedUrl.slice(0, -1);
+		}
+	}
+
+	// Check if the URL was changed (hostname was encoded)
+	const isDifferent = url !== encodedUrl;
+
+	return {
+		encoded: encodedUrl,
+		isDifferent
+	};
+}
diff --git a/src/extension/tools/node/applyPatch/parser.ts b/src/extension/tools/node/applyPatch/parser.ts
@@ -791,6 +791,26 @@ export function text_to_patch(
 	return [parser.patch, parser.fuzz];
 }
 
+export function identify_files_affected(text: string): Array<string> {
+	const lines = text.trim().split('\n');
+	const result = new Set<string>();
+	for (const line of lines) {
+		if (line.startsWith(UPDATE_FILE_PREFIX)) {
+			result.add(line.slice(UPDATE_FILE_PREFIX.length));
+		} else if (line.startsWith(DELETE_FILE_PREFIX)) {
+			result.add(line.slice(DELETE_FILE_PREFIX.length));
+		} else if (line.startsWith(MOVE_FILE_TO_PREFIX)) {
+			result.add(line.slice(MOVE_FILE_TO_PREFIX.length));
+		} else if (line.startsWith(DELETE_FILE_PREFIX)) {
+			result.add(line.slice(DELETE_FILE_PREFIX.length));
+		} else if (line.startsWith(ADD_FILE_PREFIX)) {
+			result.add(line.slice(ADD_FILE_PREFIX.length));
+		}
+	}
+
+	return [...result];
+}
+
 export function identify_files_needed(text: string): Array<string> {
 	const lines = text.trim().split('\n');
 	const result = new Set<string>();
diff --git a/src/extension/tools/node/applyPatchTool.tsx b/src/extension/tools/node/applyPatchTool.tsx
@@ -46,7 +46,7 @@ import { ICopilotTool, ToolRegistry } from '../common/toolsRegistry';
 import { IToolsService } from '../common/toolsService';
 import { formatUriForFileWidget } from '../common/toolUtils';
 import { PATCH_PREFIX, PATCH_SUFFIX } from './applyPatch/parseApplyPatch';
-import { ActionType, Commit, DiffError, FileChange, identify_files_added, identify_files_needed, InvalidContextError, InvalidPatchFormatError, processPatch } from './applyPatch/parser';
+import { ActionType, Commit, DiffError, FileChange, identify_files_added, identify_files_affected, identify_files_needed, InvalidContextError, InvalidPatchFormatError, processPatch } from './applyPatch/parser';
 import { EditFileResult, IEditedFile } from './editFileToolResult';
 import { canExistingFileBeEdited, createEditConfirmation, formatDiffAsUnified, getDisallowedEditUriError, logEditToolResult, openDocumentAndSnapshot } from './editFileToolUtils';
 import { sendEditNotebookTelemetry } from './editNotebookTool';
@@ -652,7 +652,7 @@ export class ApplyPatchTool implements ICopilotTool<IApplyPatchToolParams> {
 	}
 
 	async prepareInvocation(options: vscode.LanguageModelToolInvocationPrepareOptions<IApplyPatchToolParams>, token: vscode.CancellationToken): Promise<vscode.PreparedToolInvocation> {
-		const uris = [...identify_files_needed(options.input.input), ...identify_files_added(options.input.input)].map(f => URI.file(f));
+		const uris = [...identify_files_affected(options.input.input)].map(f => URI.file(f));
 
 		return this.instantiationService.invokeFunction(
 			createEditConfirmation,
@@ -696,16 +696,27 @@ export class ApplyPatchTool implements ICopilotTool<IApplyPatchToolParams> {
 		const diffResults = await Promise.all(
 			Object.entries(commit.changes).map(async ([file, changes]) => {
 				const uri = resolveToolInputPath(file, promptPathRepresentationService);
-				if (!urisNeedingConfirmationSet.has(uri)) {
+				const moveTo = changes.movePath ? resolveToolInputPath(changes.movePath, promptPathRepresentationService) : undefined;
+				if (!urisNeedingConfirmationSet.has(uri) && !(moveTo && urisNeedingConfirmationSet.has(moveTo))) {
 					return;
 				}
 
-				return await instantiationService.invokeFunction(
+				if (changes.type === ActionType.DELETE) {
+					return l10n.t`Delete ${formatUriForFileWidget(uri)}`;
+				}
+
+				let diff = await instantiationService.invokeFunction(
 					formatDiffAsUnified,
 					uri,
 					changes.oldContent || '',
 					changes.newContent || ''
 				);
+
+				if (moveTo) {
+					diff = l10n.t`Move from ${formatUriForFileWidget(uri)} to ${formatUriForFileWidget(moveTo)}\n\n` + diff;
+				}
+
+				return diff;
 			})
 		);
 
diff --git a/src/extension/tools/node/test/toolUtils.spec.ts b/src/extension/tools/node/test/toolUtils.spec.ts
@@ -3,7 +3,7 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { afterAll, beforeAll, beforeEach, describe, expect, suite, test } from 'vitest';
+import { afterAll, beforeAll, beforeEach, describe, expect, suite, test, it } from 'vitest';
 import { ConfigKey, IConfigurationService } from '../../../../platform/configuration/common/configurationService';
 import { InMemoryConfigurationService } from '../../../../platform/configuration/test/common/inMemoryConfigurationService';
 import { IFileSystemService } from '../../../../platform/filesystem/common/fileSystemService';
@@ -18,6 +18,7 @@ import { SyncDescriptor } from '../../../../util/vs/platform/instantiation/commo
 import { IInstantiationService } from '../../../../util/vs/platform/instantiation/common/instantiation';
 import { createExtensionUnitTestingServices } from '../../../test/node/services';
 import { assertFileOkForTool, isDirExternalAndNeedsConfirmation, isFileExternalAndNeedsConfirmation } from '../toolUtils';
+import { encodeUrlHostname } from '../../common/toolUtils';
 
 class TestIgnoreService extends NullIgnoreService {
 	private readonly _ignoredUris = new Set<string>();
@@ -266,3 +267,183 @@ suite('toolUtils - external file existence', () => {
 		expect(await invokeIsFileExternalAndNeedsConfirmation(URI.file('/workspace/nonexistent.ts'))).toBe(false);
 	});
 });
+
+describe('encodeUrlHostname', () => {
+	describe('ASCII URLs', () => {
+		it('handles standard ASCII domain', () => {
+			const result = encodeUrlHostname('https://example.com');
+			expect(result.encoded).toBe('https://example.com');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles ASCII domain with path', () => {
+			const result = encodeUrlHostname('https://example.com/path/to/page');
+			expect(result.encoded).toBe('https://example.com/path/to/page');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles ASCII domain with query string', () => {
+			const result = encodeUrlHostname('https://example.com/page?foo=bar&baz=qux');
+			expect(result.encoded).toBe('https://example.com/page?foo=bar&baz=qux');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles ASCII domain with fragment', () => {
+			const result = encodeUrlHostname('https://example.com/page#section');
+			expect(result.encoded).toBe('https://example.com/page#section');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles http scheme', () => {
+			const result = encodeUrlHostname('http://example.com');
+			expect(result.encoded).toBe('http://example.com');
+			expect(result.isDifferent).toBe(false);
+		});
+	});
+
+	describe('internationalized domain names (IDN)', () => {
+		it('encodes Cyrillic domain', () => {
+			const result = encodeUrlHostname('https://пример.рф');
+			expect(result.encoded).toBe('https://xn--e1afmkfd.xn--p1ai');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('encodes Chinese domain', () => {
+			const result = encodeUrlHostname('https://例え.jp');
+			expect(result.encoded).toBe('https://xn--r8jz45g.jp');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('encodes German domain with umlaut', () => {
+			const result = encodeUrlHostname('https://müller.de');
+			expect(result.encoded).toBe('https://xn--mller-kva.de');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('encodes Arabic domain', () => {
+			const result = encodeUrlHostname('https://مثال.السعودية');
+			expect(result.encoded).toBe('https://xn--mgbh0fb.xn--mgberp4a5d4ar');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('preserves path when encoding IDN', () => {
+			const result = encodeUrlHostname('https://пример.рф/path/to/page');
+			expect(result.encoded).toBe('https://xn--e1afmkfd.xn--p1ai/path/to/page');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('preserves query string when encoding IDN', () => {
+			const result = encodeUrlHostname('https://пример.рф?foo=bar');
+			expect(result.encoded).toBe('https://xn--e1afmkfd.xn--p1ai?foo=bar');
+			expect(result.isDifferent).toBe(true);
+		});
+	});
+
+	describe('URLs with port', () => {
+		it('handles ASCII domain with port', () => {
+			const result = encodeUrlHostname('https://example.com:8080');
+			expect(result.encoded).toBe('https://example.com:8080');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('encodes IDN with port', () => {
+			const result = encodeUrlHostname('https://пример.рф:8080');
+			expect(result.encoded).toBe('https://xn--e1afmkfd.xn--p1ai:8080');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('handles port with path', () => {
+			const result = encodeUrlHostname('https://пример.рф:8080/path');
+			expect(result.encoded).toBe('https://xn--e1afmkfd.xn--p1ai:8080/path');
+			expect(result.isDifferent).toBe(true);
+		});
+	});
+
+	describe('URLs with userinfo', () => {
+		it('handles userinfo with ASCII domain', () => {
+			const result = encodeUrlHostname('https://user:pass@example.com');
+			expect(result.encoded).toBe('https://user:pass@example.com');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('encodes IDN with userinfo', () => {
+			const result = encodeUrlHostname('https://user:pass@пример.рф');
+			expect(result.encoded).toBe('https://user:pass@xn--e1afmkfd.xn--p1ai');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('handles userinfo with port', () => {
+			const result = encodeUrlHostname('https://user:pass@пример.рф:8080');
+			expect(result.encoded).toBe('https://user:pass@xn--e1afmkfd.xn--p1ai:8080');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('handles username without password', () => {
+			const result = encodeUrlHostname('https://user@пример.рф');
+			expect(result.encoded).toBe('https://user@xn--e1afmkfd.xn--p1ai');
+			expect(result.isDifferent).toBe(true);
+		});
+	});
+
+	describe('subdomain handling', () => {
+		it('encodes subdomain with non-ASCII characters', () => {
+			const result = encodeUrlHostname('https://поддомен.пример.рф');
+			expect(result.encoded).toBe('https://xn--d1aad1agbce.xn--e1afmkfd.xn--p1ai');
+			expect(result.isDifferent).toBe(true);
+		});
+
+		it('handles mixed ASCII and non-ASCII subdomains', () => {
+			const result = encodeUrlHostname('https://www.пример.рф');
+			expect(result.encoded).toBe('https://www.xn--e1afmkfd.xn--p1ai');
+			expect(result.isDifferent).toBe(true);
+		});
+	});
+
+	describe('edge cases', () => {
+		it('handles localhost', () => {
+			const result = encodeUrlHostname('http://localhost:3000');
+			expect(result.encoded).toBe('http://localhost:3000');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles IP address', () => {
+			const result = encodeUrlHostname('http://192.168.1.1:8080');
+			expect(result.encoded).toBe('http://192.168.1.1:8080');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles IPv6 address', () => {
+			const result = encodeUrlHostname('http://[::1]:8080');
+			expect(result.encoded).toBe('http://[::1]:8080');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles empty authority gracefully', () => {
+			const result = encodeUrlHostname('file:///path/to/file');
+			expect(result.encoded).toBe('file:///path/to/file');
+			expect(result.isDifferent).toBe(false);
+		});
+
+		it('handles invalid URL gracefully', () => {
+			const result = encodeUrlHostname('not a url');
+			expect(result.encoded).toBe('not a url');
+			expect(result.isDifferent).toBe(false);
+		});
+	});
+
+	describe('homograph attack prevention', () => {
+		it('encodes Cyrillic "a" that looks like Latin "a"', () => {
+			// Cyrillic а (U+0430) vs Latin a (U+0061)
+			const result = encodeUrlHostname('https://exаmple.com'); // Contains Cyrillic а
+			expect(result.isDifferent).toBe(true);
+			expect(result.encoded).toContain('xn--');
+		});
+
+		it('encodes Greek omicron that looks like Latin "o"', () => {
+			// Greek ο (U+03BF) vs Latin o (U+006F)
+			const result = encodeUrlHostname('https://gοοgle.com'); // Contains Greek ο
+			expect(result.isDifferent).toBe(true);
+			expect(result.encoded).toContain('xn--');
+		});
+	});
+});
diff --git a/src/extension/tools/vscode-node/fetchWebPageTool.tsx b/src/extension/tools/vscode-node/fetchWebPageTool.tsx
@@ -3,7 +3,7 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 import { BasePromptElementProps, Chunk, PromptElement, PromptSizing, TextChunk, useKeepWith } from '@vscode/prompt-tsx';
-import { CancellationToken, LanguageModelPromptTsxPart, LanguageModelTextPart, LanguageModelDataPart, LanguageModelToolInvocationOptions, LanguageModelToolInvocationPrepareOptions, LanguageModelToolResult, lm, PreparedToolInvocation, ProviderResult } from 'vscode';
+import { CancellationToken, LanguageModelDataPart, LanguageModelPromptTsxPart, LanguageModelTextPart, LanguageModelToolInvocationOptions, LanguageModelToolInvocationPrepareOptions, LanguageModelToolResult, lm, PreparedToolInvocation, ProviderResult } from 'vscode';
 import { FileChunkAndScore } from '../../../platform/chunking/common/chunk';
 import { ILogService } from '../../../platform/log/common/logService';
 import { UrlChunkEmbeddingsIndex } from '../../../platform/urlChunkSearch/node/urlChunkEmbeddingsIndex';
@@ -15,6 +15,7 @@ import { renderPromptElementJSON } from '../../prompts/node/base/promptRenderer'
 import { imageDataPartToTSX } from '../../prompts/node/panel/toolCalling';
 import { ToolName } from '../common/toolNames';
 import { ICopilotTool, ToolRegistry } from '../common/toolsRegistry';
+import { encodeUrlHostname } from '../common/toolUtils';
 
 interface IFetchWebPageParams {
 	urls: string[];
@@ -67,10 +68,11 @@ class FetchWebPageTool implements ICopilotTool<IFetchWebPageParams> {
 		if (!tool) {
 			throw new Error('Tool not found');
 		}
-		const { urls } = options.input;
-		const { content } = await lm.invokeTool(internalToolName, options, token);
-		if (urls.length !== content.length) {
-			this._logService.error(`Expected ${urls.length} responses but got ${content.length}`);
+		// Encode URLs for security before processing
+		const encodedUrls = options.input.urls.map(url => encodeUrlHostname(url).encoded);
+		const { content } = await lm.invokeTool(internalToolName, { ...options, input: { ...options.input, urls: encodedUrls } }, token);
+		if (encodedUrls.length !== content.length) {
+			this._logService.error(`Expected ${encodedUrls.length} responses but got ${content.length}`);
 			return new LanguageModelToolResult([
 				new LanguageModelTextPart('Error: I did not receive the expected number of responses from the tool.')
 			]);
@@ -80,9 +82,9 @@ class FetchWebPageTool implements ICopilotTool<IFetchWebPageParams> {
 		const validTextContent: Array<{ readonly uri: URI; readonly content: string }> = [];
 		const imageResults: WebPageImageResult[] = [];
 
-		for (let i = 0; i < urls.length; i++) {
+		for (let i = 0; i < encodedUrls.length; i++) {
 			try {
-				const uri = URI.parse(urls[i]);
+				const uri = URI.parse(encodedUrls[i]);
 				const contentPart = content[i];
 
 				if (options.model?.capabilities.supportsImageToText && isImageDataPart(contentPart)) {
@@ -97,13 +99,13 @@ class FetchWebPageTool implements ICopilotTool<IFetchWebPageParams> {
 					if (typeof textValue === 'string') {
 						validTextContent.push({ uri, content: textValue });
 					} else {
-						this._logService.warn(`Unsupported content type at index ${i}: ${urls[i]}`);
-						invalidUrls.push(urls[i]);
+						this._logService.warn(`Unsupported content type at index ${i}: ${encodedUrls[i]}`);
+						invalidUrls.push(encodedUrls[i]);
 					}
 				}
 			} catch (error) {
-				this._logService.error(`Invalid URL at index ${i}: ${urls[i]}`, error);
-				invalidUrls.push(urls[i]);
+				this._logService.error(`Invalid URL at index ${i}: ${encodedUrls[i]}`, error);
+				invalidUrls.push(encodedUrls[i]);
 			}
 		}
 
