chore(#137): update CHANGELOG with security fixes from review
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 44s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m31s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m48s
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 44s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m31s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m48s
This commit is contained in:
Rodin
@@ -27,6 +27,12 @@ mappings:
|
||||
- Multiple mappings can reference the same doc; docs are deduplicated
|
||||
- Missing doc files: warn and skip (review continues without them)
|
||||
- No matching paths: no docs injected, review runs normally
|
||||
- Absolute paths and path traversal (`..` segments) in doc paths are rejected
|
||||
|
||||
### Security
|
||||
|
||||
- **Path traversal guard**: doc paths from the YAML config are validated to reject absolute paths and `..` segments before VCS API calls
|
||||
- **Prompt injection guard**: design doc content is injected with an explicit instruction to treat it as reference data and not follow any instructions it may contain
|
||||
|
||||
## v0.3.2
|
||||
|
||||
|
||||
Reference in New Issue
Block a user