Rodin
3222c765c9
The doc-map YAML config was previously read from the local workspace (the PR branch checkout). A malicious PR author could modify .review-bot/doc-map.yml to map any path glob to sensitive design docs, causing review-bot to fetch and inject those docs into the LLM prompt. Fix: add --doc-map-trusted-ref (DOC_MAP_TRUSTED_REF) flag. When set to a trusted ref (e.g. 'main'), the doc-map config is fetched from the VCS API at that ref instead of from local workspace. A 404 from VCS is a hard error (no silent fallback to local copy). When unset, the local workspace is used with a security warning in the logs pointing operators to the new flag. Changes: - review/docmap.go: add ParseDocMapConfigContent + parseDocMapBytes helper to parse from in-memory content (fetched via VCS API) - cmd/review-bot/main.go: add --doc-map-trusted-ref flag; Step 6c branches on trusted-ref to fetch vs local-workspace load - .gitea/actions/review/action.yml: add doc-map-trusted-ref input - README.md: document new input - CHANGELOG.md: security and feature entries Tests: - TestParseDocMapConfigContent_Valid/Empty/InvalidYAML/UnknownKeys in review/docmap_test.go Coverage: 53.0% cmd/review-bot
2.7 KiB
CHANGELOG
Unreleased
Security
doc-map-trusted-ref: fetch doc-map config from trusted VCS ref (#143): New--doc-map-trusted-refflag /DOC_MAP_TRUSTED_REFenv var. When set, the doc-map YAML config is fetched from the specified VCS ref (e.g.main) via API instead of being read from the local workspace (the PR branch checkout). This prevents a malicious PR from modifying.review-bot/doc-map.ymlto inject arbitrary design docs into the LLM prompt. When unset, the local workspace is used with a security warning in the logs.
Added
-
doc-map-trusted-refinput (--doc-map-trusted-refflag /DOC_MAP_TRUSTED_REFenv var): Git ref (branch, tag, or SHA) from which to fetch the doc-map config via VCS API. Recommended for alldoc-mapusers. Example:doc-map-trusted-ref: main. (#143) -
doc-mapinput (--doc-mapflag /DOC_MAP_FILEenv var): Path to a YAML file mapping source path globs to governing design docs. review-bot intersects the map with changed PR paths and injects matching docs into the system prompt under a## Design Documentsheading. (#137) -
doc-map-max-bytesinput (--doc-map-max-bytesflag /DOC_MAP_MAX_BYTESenv var): Cap on total injected design doc content in bytes. Default: 102400 (100 KB). Prevents accidental context overflow when a PR touches many modules. -
DesignDocsbudget section: Design docs are included in the context budget and trimmed after conventions, before file context, if the total exceeds the model's context limit.
Doc-map config format
mappings:
- paths:
- "lib/gargoyle/engine/signal_risk/**"
docs:
- docs/domain/contexts/risk/risk-controls.md
- paths:
- "lib/gargoyle/trading/**"
docs:
- docs/domain/contexts/trading/
paths— glob patterns (including**) matched against changed file paths in the PRdocs— local file paths or directories (all.mdfiles under a directory) to inject- Multiple mappings can reference the same doc; docs are deduplicated
- Missing doc files: warn and skip (review continues without them)
- No matching paths: no docs injected, review runs normally
- Absolute paths and path traversal (
..segments) in doc paths are rejected
Security
- Path traversal guard: doc paths from the YAML config are validated to reject absolute paths and
..segments before VCS API calls - Prompt injection guard: design doc content is injected with an explicit instruction to treat it as reference data and not follow any instructions it may contain
v0.3.2
- Previous releases tracked in Gitea release notes.