Rodin
7d7a49e967
PR Ready Gate / clear-labels (pull_request) Successful in 1s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 39s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m22s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m46s
Address security-review-bot REQUEST_CHANGES findings on PR #142: MAJOR (Finding #1): Docmap file path was read directly without validating it is within --repo-root or checking for symlinks. A malicious PR could create .review-bot/doc-map.yml as a symlink to /dev/zero (resource exhaustion) or an arbitrary host file (information disclosure). Fix: Add validateDocmapPath() called before ParseDocMapConfig(). It: - Resolves --repo-root first (filepath.Abs + EvalSymlinks), moved up before docmap parsing so both checks share the same resolved root - Uses os.Lstat to detect symlinks and rejects them outright - Confirms the docmap path is within resolvedRoot via filepath.Rel - Checks file size against maxDocmapBytes (10 MB) before reading MINOR (Finding #2): No upper bound on docmap YAML size. Fix: os.Lstat size check enforces maxDocmapBytes cap before os.ReadFile. Tests: - TestValidateDocmapPath_Symlink: docmap is a symlink → exit 2 - TestValidateDocmapPath_OutsideRepoRoot: docmap outside repo-root → exit 2 - TestValidateDocmapPath_SizeLimit: docmap exceeds 10 MB cap → exit 2 - Updated all existing tests to use makeDocmapInDir() so the docmap lives inside the repo-root, satisfying the new confinement check