Skip to content

Add @filepath expansion in safe output body processing#29137

Closed
Copilot wants to merge 3 commits intomainfrom
copilot/add-detect-filepath-markdown
Closed

Add @filepath expansion in safe output body processing#29137
Copilot wants to merge 3 commits intomainfrom
copilot/add-detect-filepath-markdown

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 29, 2026
edited
Loading

Adds detection and automatic expansion of @/absolute/path file references in agent-generated text (comment bodies, issue bodies, etc.) processed by the safe output pipeline.

When an agent writes a reference like @/tmp/gh-aw/agent/comment-body.md as the body field of a safe output message (e.g., add_comment, create_issue, update_issue), the safe output handler manager now reads the file and replaces the reference inline with its contents before passing the body to the handler.

This was motivated by the pattern seen in #29123 comment where an agent posted @/tmp/gh-aw/agent/comment-body.md as a comment body — the file contents should be expanded automatically.

Changes

actions/setup/js/runtime_import.cjs

  • Added isAllowedFileReference(filePath, workspaceDir) — validates that a path is:
    • An absolute path (starts with /)
    • A clean path (no .. or . traversal components — refused rather than silently normalized)
    • Within $GITHUB_WORKSPACE or /tmp/gh-aw
  • Added expandFileReferences(content, workspaceDir) — scans content for @/path references, validates and expands allowed ones, ignores/warns on disallowed or missing files
  • Both functions exported for use and testing

actions/setup/js/safe_output_handler_manager.cjs

  • Imported expandFileReferences from runtime_import.cjs
  • Added @filepath expansion as a pre-processing step on the body field of every safe output message, alongside the existing artifact URL replacement step, before the message is dispatched to its handler

actions/setup/js/runtime_import.test.cjs

  • Added describe("isAllowedFileReference", ...) with tests covering workspace paths, /tmp/gh-aw paths, relative paths, .. traversal, path confusion, URL-encoded traversal, and mixed-separator traversal
  • Added describe("expandFileReferences", ...) with tests for valid expansion, disallowed paths, missing files, and traversal attacks

actions/setup/js/safe_output_handler_manager.test.cjs

  • Added tests verifying @filepath expansion is applied to add_comment and create_issue bodies, and that disallowed paths are left unchanged

Security

  • Only absolute paths are matched (@/...), not @username mentions
  • Regex restricted to standard filesystem characters ([a-zA-Z0-9_./-]) to exclude shell-special sequences
  • Paths with .. or . components are refused outright (not silently normalized)
  • Paths outside workspace and /tmp/gh-aw are silently ignored with a log message
  • Missing files produce a warning but leave the reference unchanged

Copilot AI and others added 2 commits April 29, 2026 14:56
@pelikhan
Add @filepath expansion in interpolate_prompt: detect @/abs/path and …
8a86a94 
…expand with file content

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f211b60f-12d4-400c-95e1-1eda2e8f9b86

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Address code review: restrict filepath regex, remove redundant check,…
4c1b355 
… add traversal tests

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f211b60f-12d4-400c-95e1-1eda2e8f9b86

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan April 29, 2026 15:01
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 29, 2026

@copilot this is not for prompt. This is user generated text like markdown body

@pelikhan
Move @filepath expansion to safe output body processing, not prompt p…
aed623e 
…ipeline

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0f0ec9d7-3b7e-48d9-83a1-34890448c362

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 29, 2026

@copilot this is not for prompt. This is user generated text like markdown body

Moved in aed623e. The @filepath expansion now lives in safe_output_handler_manager.cjs, applied as a pre-processing step to the body field of every safe output message (alongside the existing artifact URL replacement). interpolate_prompt.cjs is unchanged.

Copilot AI changed the title Add @filepath expansion in prompt interpolation Add @filepath expansion in safe output body processing Apr 29, 2026
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Open
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 29, 2026

@copilot do a security review to make sure the file is not read outside the allowed folder

@pelikhan pelikhan closed this Apr 29, 2026
Copilot stopped work on behalf of pelikhan due to an error April 29, 2026 20:27
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan