fix: address PR #63 review findings
1. Refactor err2 to use scoped loadErr variable (MINOR - sonnet-review-bot) The else-if branches are mutually exclusive, so the error variable should be scoped inside the block, not declared outside with err2. 2. Sanitize DisplayName before embedding in Markdown (MINOR - security-review-bot) Remote persona metadata is untrusted. Added sanitizeMarkdownText() to escape Markdown special characters and strip control characters. Applied to both the header title and the footer attribution. 3. Document YAML DoS mitigations (MINOR - security-review-bot) Added comprehensive comment in remote_persona.go explaining existing defenses: file size limit, file count cap, depth limit, node count cap, and alias cycle detection. These collectively mitigate billion-laughs and stack exhaustion attacks.
This commit is contained in:
Rodin
@@ -214,3 +214,71 @@ func TestFormatMarkdownWithDisplay(t *testing.T) {
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestSanitizeMarkdownText(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
input string
|
||||
want string
|
||||
}{
|
||||
{
|
||||
name: "plain text unchanged",
|
||||
input: "Security Specialist",
|
||||
want: "Security Specialist",
|
||||
},
|
||||
{
|
||||
name: "escapes asterisks",
|
||||
input: "**bold** attack",
|
||||
want: `\*\*bold\*\* attack`,
|
||||
},
|
||||
{
|
||||
name: "escapes brackets for links",
|
||||
input: "[click me](http://evil.com)",
|
||||
want: `\[click me\]\(http://evil.com\)`,
|
||||
},
|
||||
{
|
||||
name: "escapes backticks",
|
||||
input: "`code` injection",
|
||||
want: "\\`code\\` injection",
|
||||
},
|
||||
{
|
||||
name: "escapes angle brackets",
|
||||
input: "<script>alert(1)</script>",
|
||||
want: `\<script\>alert\(1\)\</script\>`,
|
||||
},
|
||||
{
|
||||
name: "escapes hash for headers",
|
||||
input: "# Fake Header",
|
||||
want: `\# Fake Header`,
|
||||
},
|
||||
{
|
||||
name: "escapes pipe for tables",
|
||||
input: "col1 | col2",
|
||||
want: `col1 \| col2`,
|
||||
},
|
||||
{
|
||||
name: "removes control characters",
|
||||
input: "hello\x00world\x1f",
|
||||
want: "helloworld",
|
||||
},
|
||||
{
|
||||
name: "preserves tabs and newlines",
|
||||
input: "line1\n\tindented",
|
||||
want: "line1\n\tindented",
|
||||
},
|
||||
{
|
||||
name: "escapes tilde for strikethrough",
|
||||
input: "~~strikethrough~~",
|
||||
want: `\~\~strikethrough\~\~`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got := sanitizeMarkdownText(tt.input)
|
||||
if got != tt.want {
|
||||
t.Errorf("sanitizeMarkdownText(%q) = %q, want %q", tt.input, got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user