resolve review agent codeql path alert properly

msukkari · msukkari · commit 284d89c694e0 · 2026-04-18T15:26:41.000-07:00
diff --git a/packages/web/src/features/agents/review-agent/app.ts b/packages/web/src/features/agents/review-agent/app.ts
@@ -2,7 +2,7 @@ import { Octokit } from "octokit";
 import { generatePrReviews } from "@/features/agents/review-agent/nodes/generatePrReview";
 import { githubPushPrReviews } from "@/features/agents/review-agent/nodes/githubPushPrReviews";
 import { githubPrParser } from "@/features/agents/review-agent/nodes/githubPrParser";
-import { getReviewAgentLogDir } from "@/features/agents/review-agent/nodes/invokeDiffReviewLlm";
+import { REVIEW_AGENT_LOG_DIR } from "@/features/agents/review-agent/lib";
 import { env } from "@sourcebot/shared";
 import { GitHubPullRequest } from "@/features/agents/review-agent/types";
 import path from "path";
@@ -29,11 +29,10 @@ export async function processGitHubPullRequest(octokit: Octokit, pullRequest: Gi
         return;
     }
 
-    let reviewAgentLogPath: string | undefined;
+    let reviewAgentLogFileName: string | undefined;
     if (env.REVIEW_AGENT_LOGGING_ENABLED) {
-        const reviewAgentLogDir = getReviewAgentLogDir();
-        if (!fs.existsSync(reviewAgentLogDir)) {
-            fs.mkdirSync(reviewAgentLogDir, { recursive: true });
+        if (!fs.existsSync(REVIEW_AGENT_LOG_DIR)) {
+            fs.mkdirSync(REVIEW_AGENT_LOG_DIR, { recursive: true });
         }
 
         const timestamp = new Date().toLocaleString('en-US', {
@@ -45,11 +44,12 @@ export async function processGitHubPullRequest(octokit: Octokit, pullRequest: Gi
             second: '2-digit',
             hour12: false
         }).replace(/(\d+)\/(\d+)\/(\d+), (\d+):(\d+):(\d+)/, '$3_$1_$2_$4_$5_$6');
-        reviewAgentLogPath = path.join(reviewAgentLogDir, `review-agent-${pullRequest.number}-${timestamp}.log`);
-        logger.info(`Review agent logging to ${reviewAgentLogPath}`);
+        reviewAgentLogFileName = `review-agent-${pullRequest.number}-${timestamp}.log`;
+        logger.info(`Review agent logging to ${path.join(REVIEW_AGENT_LOG_DIR, reviewAgentLogFileName)}`);
+   
     }
 
     const prPayload = await githubPrParser(octokit, pullRequest);
-    const fileDiffReviews = await generatePrReviews(reviewAgentLogPath, prPayload, rules);
+    const fileDiffReviews = await generatePrReviews(reviewAgentLogFileName, prPayload, rules);
     await githubPushPrReviews(octokit, prPayload, fileDiffReviews); 
 }
diff --git a/packages/web/src/features/agents/review-agent/lib.ts b/packages/web/src/features/agents/review-agent/lib.ts
@@ -0,0 +1,9 @@
+import path from "path";
+import { env } from "@sourcebot/shared";
+import fs from "fs";
+
+export const REVIEW_AGENT_LOG_DIR = env.DATA_CACHE_DIR + "/review-agent";
+
+export const appendReviewAgentLog = (logFileName: string, log: string): void => {
+    fs.appendFileSync(path.join(REVIEW_AGENT_LOG_DIR, logFileName), log);
+};
diff --git a/packages/web/src/features/agents/review-agent/nodes/generatePrReview.ts b/packages/web/src/features/agents/review-agent/nodes/generatePrReview.ts
@@ -6,7 +6,7 @@ import { createLogger } from "@sourcebot/shared";
 
 const logger = createLogger('generate-pr-review');
 
-export const generatePrReviews = async (reviewAgentLogPath: string | undefined, pr_payload: sourcebot_pr_payload, rules: string[]): Promise<sourcebot_file_diff_review[]> => {
+export const generatePrReviews = async (reviewAgentLogFileName: string | undefined, pr_payload: sourcebot_pr_payload, rules: string[]): Promise<sourcebot_file_diff_review[]> => {
     logger.debug("Executing generate_pr_reviews");
 
     const file_diff_reviews: sourcebot_file_diff_review[] = [];
@@ -32,7 +32,7 @@ export const generatePrReviews = async (reviewAgentLogPath: string | undefined,
 
                 const prompt = await generateDiffReviewPrompt(diff, context, rules);
                 
-                const diffReview = await invokeDiffReviewLlm(reviewAgentLogPath, prompt);
+                const diffReview = await invokeDiffReviewLlm(reviewAgentLogFileName, prompt);
                 reviews.push(...diffReview.reviews);
             } catch (error) {
                 logger.error(`Error generating review for ${file_diff.to}: ${error}`);
diff --git a/packages/web/src/features/agents/review-agent/nodes/invokeDiffReviewLlm.ts b/packages/web/src/features/agents/review-agent/nodes/invokeDiffReviewLlm.ts
@@ -1,25 +1,12 @@
 import OpenAI from "openai";
 import { sourcebot_file_diff_review, sourcebot_file_diff_review_schema } from "@/features/agents/review-agent/types";
 import { env } from "@sourcebot/shared";
-import fs from "fs";
-import path from "path";
+import { appendReviewAgentLog } from "@/features/agents/review-agent/lib"
 import { createLogger } from "@sourcebot/shared";
 
 const logger = createLogger('invoke-diff-review-llm');
 
-export const getReviewAgentLogDir = (): string => {
-    return path.join(env.DATA_CACHE_DIR, 'review-agent');
-};
-
-const validateLogPath = (logPath: string): void => {
-    const resolved = path.resolve(logPath);
-    const logDir = getReviewAgentLogDir();
-    if (!resolved.startsWith(logDir + path.sep)) {
-        throw new Error('reviewAgentLogPath escapes log directory');
-    }
-};
-
-export const invokeDiffReviewLlm = async (reviewAgentLogPath: string | undefined, prompt: string): Promise<sourcebot_file_diff_review> => {
+export const invokeDiffReviewLlm = async (reviewAgentLogFileName: string | undefined, prompt: string): Promise<sourcebot_file_diff_review> => {
     logger.debug("Executing invoke_diff_review_llm");
     
     if (!env.OPENAI_API_KEY) {
@@ -31,9 +18,8 @@ export const invokeDiffReviewLlm = async (reviewAgentLogPath: string | undefined
         apiKey: env.OPENAI_API_KEY,
     });
 
-    if (reviewAgentLogPath) {
-        validateLogPath(reviewAgentLogPath);
-        fs.appendFileSync(reviewAgentLogPath, `\n\nPrompt:\n${prompt}`);
+    if (reviewAgentLogFileName) {
+        appendReviewAgentLog(reviewAgentLogFileName, `\n\nPrompt:\n${prompt}`);
     }
 
     try {
@@ -45,9 +31,8 @@ export const invokeDiffReviewLlm = async (reviewAgentLogPath: string | undefined
         });
     
         const openaiResponse = completion.choices[0].message.content;
-        if (reviewAgentLogPath) {
-            validateLogPath(reviewAgentLogPath);
-            fs.appendFileSync(reviewAgentLogPath, `\n\nResponse:\n${openaiResponse}`);
+        if (reviewAgentLogFileName) {
+            appendReviewAgentLog(reviewAgentLogFileName, `\n\nResponse:\n${openaiResponse}`);
         }
         
         const diffReviewJson = JSON.parse(openaiResponse || '{}');
