From 5525d2a120d9dad121077cdc5599829825223a88 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Feb 2026 06:54:46 +0000 Subject: [PATCH 1/2] Initial plan From edf8608aec230f1c7067d5fc646680bf5c4d896e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Feb 2026 07:00:18 +0000 Subject: [PATCH 2/2] Fix JavaScript formatting in merge_remote_agent_github_folder.cjs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../setup/js/merge_remote_agent_github_folder.cjs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/actions/setup/js/merge_remote_agent_github_folder.cjs b/actions/setup/js/merge_remote_agent_github_folder.cjs index 6f843a36ac..77a0a58356 100644 --- a/actions/setup/js/merge_remote_agent_github_folder.cjs +++ b/actions/setup/js/merge_remote_agent_github_folder.cjs @@ -146,23 +146,23 @@ function validateGitParameter(value, name) { */ function validateSafePath(userPath, basePath, name) { // Reject paths with null bytes - if (userPath.includes('\0')) { + if (userPath.includes("\0")) { throw new Error(`Invalid ${name}: contains null bytes`); } - + // Reject paths that attempt to traverse up (..) - if (userPath.includes('..')) { + if (userPath.includes("..")) { throw new Error(`Invalid ${name}: path traversal detected`); } - + // Resolve the full path and ensure it's within the base path const resolvedPath = path.resolve(basePath, userPath); const resolvedBase = path.resolve(basePath); - + if (!resolvedPath.startsWith(resolvedBase + path.sep) && resolvedPath !== resolvedBase) { throw new Error(`Invalid ${name}: path escapes base directory`); } - + return resolvedPath; } @@ -239,7 +239,7 @@ function mergeGithubFolder(sourcePath, destPath) { for (const relativePath of sourceFiles) { // Validate relative path to prevent path traversal validateSafePath(relativePath, sourcePath, "relative file path"); - + // Check if the file is in one of the allowed subfolders const pathParts = relativePath.split(path.sep); const topLevelFolder = pathParts[0];