Add content expander for parameters, commands, and file paths with injection protection#151
Merged
Merged
Conversation
Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add new expander to expand content with parameters and commands
Add content expander for parameters, commands, and file paths
Dec 10, 2025
Contributor
|
@copilot The current solution could expand a parameter which then expands a command, causing command injection attack. You must process the file rune by rune. |
Process expansions in a single pass, rune-by-rune, to prevent command
injection where expanded content (from commands or files) contains
further expansion sequences that would be re-expanded.
Security issue: Previously, expansions were done in multiple passes
(commands -> paths -> parameters), allowing:
- Command output containing ${param} to be expanded
- File content containing ${param} or !`cmd` to be expanded
- Parameters containing !`cmd` or @path to be expanded
Fix: Process all three expansion types in a single pass by scanning
rune-by-rune, which ensures expanded content is never re-processed.
Tests updated to verify security fix and ensure no re-expansion occurs.
Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
Contributor
Author
Fixed in commit 3f3f3f3. Rewrote the expander to process content rune-by-rune in a single pass instead of multiple passes. This prevents command injection where expanded content (from commands or files) contains further expansion sequences. Security tests added to verify:
All existing tests pass. |
Copilot
AI
changed the title
Add content expander for parameters, commands, and file paths
Add content expander for parameters, commands, and file paths with injection protection
Dec 10, 2025
alexec
requested changes
Dec 11, 2025
alexec
requested changes
Dec 11, 2025
- Change Expander to expander (private struct) - Change params field from Params type to map[string]string directly - Update all references to use lowercase expander Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
Replace string concatenation with rune slice notation for better
efficiency and to preserve exact original text when parameters are
not found or commands fail.
Changes:
- Line 54: "${" + paramName + "}" → string(runes[i : end+1])
- Line 76: "!`" + command + "`" → string(runes[i : end+1])
Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
alexec
requested changes
Dec 11, 2025
Refactored per @alexec feedback: - Removed expander struct - Removed NewExpander function - Made expand function private (lowercase) - Pass params and logger as function parameters - Updated all tests to use new function signature - Simplified TestNewExpander to TestExpandWithNilLogger This results in a simpler, more functional API with no unnecessary struct wrapper. Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
alexec
requested changes
Dec 11, 2025
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements a new content expander that supports three types of expansions: parameter expansion (${param_name}), command expansion (!`command`), and path expansion (@path). The implementation includes a critical security fix that processes expansions in a single rune-by-rune pass to prevent injection attacks where expanded content contains further expansion sequences. The PR also incorporates code review feedback to use a functional approach with a private expand function.
Key Changes
- Single-pass rune-by-rune expansion processing to prevent command injection vulnerabilities
- Support for three expansion types: parameters, shell commands, and file paths
- Integration with existing parameter expansion in
context.go
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| pkg/codingcontext/expander.go | New file implementing single-pass expansion logic with parameter, command, and path expansion support |
| pkg/codingcontext/expander_test.go | Comprehensive test suite with 45+ test cases covering all expansion types, edge cases, and security scenarios |
| pkg/codingcontext/context.go | Updated expandParams method to use new expand function and merge parameters correctly |
| integration_test.go | New integration test verifying all three expansion types work together end-to-end |
Comment on lines
+11
to
+64
| func TestExpandParameters(t *testing.T) { | ||
| tests := []struct { | ||
| name string | ||
| params Params | ||
| content string | ||
| expected string | ||
| }{ | ||
| { | ||
| name: "single parameter expansion", | ||
| params: Params{"name": "Alice"}, | ||
| content: "Hello, ${name}!", | ||
| expected: "Hello, Alice!", | ||
| }, | ||
| { | ||
| name: "multiple parameter expansions", | ||
| params: Params{"first": "John", "last": "Doe"}, | ||
| content: "${first} ${last}", | ||
| expected: "John Doe", | ||
| }, | ||
| { | ||
| name: "parameter not found - returns unchanged with warning", | ||
| params: Params{}, | ||
| content: "Value: ${missing}", | ||
| expected: "Value: ${missing}", | ||
| }, | ||
| { | ||
| name: "mixed found and not found parameters", | ||
| params: Params{"found": "yes"}, | ||
| content: "${found} and ${notfound}", | ||
| expected: "yes and ${notfound}", | ||
| }, | ||
| { | ||
| name: "no parameters to expand", | ||
| params: Params{"key": "value"}, | ||
| content: "Plain text without parameters", | ||
| expected: "Plain text without parameters", | ||
| }, | ||
| { | ||
| name: "parameter with special characters", | ||
| params: Params{"path": "/tmp/file.txt"}, | ||
| content: "File: ${path}", | ||
| expected: "File: /tmp/file.txt", | ||
| }, | ||
| } | ||
|
|
||
| for _, tt := range tests { | ||
| t.Run(tt.name, func(t *testing.T) { | ||
| result := expand(tt.content, tt.params, slog.New(slog.NewTextHandler(os.Stderr, nil))) | ||
| if result != tt.expected { | ||
| t.Errorf("expand() = %q, want %q", result, tt.expected) | ||
| } | ||
| }) | ||
| } | ||
| } |
There was a problem hiding this comment.
The parameter expansion tests are missing important edge cases. Consider adding tests for: unclosed parameter syntax like ${name (should be treated as literal text), empty parameter name ${}, nested or malformed patterns like ${${nested}}, and parameters at the very end of the string. These edge cases are important for ensuring the parser handles malformed input gracefully.
Contributor
Author
There was a problem hiding this comment.
Done in commit e637274. Added edge case tests for: unclosed parameter syntax, empty parameter name, parameter at end of string, and nested braces.
Code changes per @alexec feedback: - Removed nil logger check in expand function (line 18) - Preserve command output as-is, no longer trim trailing newlines (line 65) - Updated all test expectations to account for newlines in command output - Changed TestExpandWithNilLogger to TestExpandBasic Documentation updates: - Expanded "Parameter Substitution" section to "Content Expansion" - Added documentation for all three expansion types: - Parameter expansion (${param}) - Command expansion (!`cmd`) - Path expansion (@path) - Documented security model (single-pass, no re-expansion) - Added examples and usage notes for each expansion type Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
auto-merge was automatically disabled
December 11, 2025 03:43
Head branch was pushed to by a user without write access
Contributor
Author
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
alexec
requested changes
Dec 11, 2025
| if err != nil { | ||
| logger.Warn("command expansion failed", "command", command, "error", err) | ||
| // Return the original !`command` if command fails | ||
| result.WriteString(string(runes[i : end+1])) |
Contributor
There was a problem hiding this comment.
@copilot if the command fails, still put the output in place.
Contributor
Author
There was a problem hiding this comment.
Done in commit e637274. Command expansion now outputs the combined stdout/stderr even when the command fails, allowing error messages to be included in the output.
Comment on lines
+11
to
+64
| func TestExpandParameters(t *testing.T) { | ||
| tests := []struct { | ||
| name string | ||
| params Params | ||
| content string | ||
| expected string | ||
| }{ | ||
| { | ||
| name: "single parameter expansion", | ||
| params: Params{"name": "Alice"}, | ||
| content: "Hello, ${name}!", | ||
| expected: "Hello, Alice!", | ||
| }, | ||
| { | ||
| name: "multiple parameter expansions", | ||
| params: Params{"first": "John", "last": "Doe"}, | ||
| content: "${first} ${last}", | ||
| expected: "John Doe", | ||
| }, | ||
| { | ||
| name: "parameter not found - returns unchanged with warning", | ||
| params: Params{}, | ||
| content: "Value: ${missing}", | ||
| expected: "Value: ${missing}", | ||
| }, | ||
| { | ||
| name: "mixed found and not found parameters", | ||
| params: Params{"found": "yes"}, | ||
| content: "${found} and ${notfound}", | ||
| expected: "yes and ${notfound}", | ||
| }, | ||
| { | ||
| name: "no parameters to expand", | ||
| params: Params{"key": "value"}, | ||
| content: "Plain text without parameters", | ||
| expected: "Plain text without parameters", | ||
| }, | ||
| { | ||
| name: "parameter with special characters", | ||
| params: Params{"path": "/tmp/file.txt"}, | ||
| content: "File: ${path}", | ||
| expected: "File: /tmp/file.txt", | ||
| }, | ||
| } | ||
|
|
||
| for _, tt := range tests { | ||
| t.Run(tt.name, func(t *testing.T) { | ||
| result := expand(tt.content, tt.params, slog.New(slog.NewTextHandler(os.Stderr, nil))) | ||
| if result != tt.expected { | ||
| t.Errorf("expand() = %q, want %q", result, tt.expected) | ||
| } | ||
| }) | ||
| } | ||
| } |
Changes based on code review feedback: - Command expansion now outputs stderr even when command fails - Added edge case tests for parameter expansion: - Unclosed parameter syntax - Empty parameter name - Parameter at end of string - Nested braces - Added edge case tests for command expansion: - Unclosed backtick - Empty command - Command at end of string - Command with error output - Added edge case tests for path expansion: - Path at end without trailing whitespace - Lone @ with no path - Multiple consecutive @ symbols - Path with backslash not escaping space - Added security integration test verifying no re-expansion of: - File content containing expansion syntax - Parameter values containing command syntax - Command output containing parameter syntax Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
alexec
approved these changes
Dec 11, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix Command Injection Vulnerability and Code Review Feedback
Security Issue (Fixed in commit 3f3f3f3)
The previous implementation processed expansions in multiple passes which allowed command injection attacks. Fixed by processing rune-by-rune in a single pass.
Code Review Changes
Expanderstruct private (lowercaseexpander) per @alexec feedback (commit 8d435ad)paramsfield to usemap[string]stringdirectly instead ofParamstype alias per @alexec feedback (commit 8d435ad)Changes
expander.gofile with expansion logic (rune-by-rune processing)expandfunction with params and logger as parameters${param_name})!`command`) - outputs stderr even on failure@path)expander_test.gowith 60+ test cases including edge casesexpandParamsmethod incontext.godocs/reference/file-formats.mddocumenting all three expansion types with examples, security notes, and usage guidelinesTest Coverage
Unit Tests (60+ test cases)
Integration Tests
Test Results
✅ All unit tests pass (60+ test cases)
✅ All integration tests pass including security test
✅ Edge case tests for malformed input
✅ Security tests confirm no re-expansion
✅ Lint clean
Documentation
✅ Added comprehensive "Content Expansion" section to
docs/reference/file-formats.md✅ Documented all three expansion types with examples
✅ Documented security model and injection protection
✅ Included usage guidelines and behavior notes
Original prompt
Original prompt
Original prompt
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.