Inline Slack thread event context#97
Conversation
|
CodeAnt AI is reviewing your PR. |
|
Warning Review limit reached
More reviews will be available in 14 minutes and 4 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Free Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughIntegration event bridge now augments Slack event messages with inline context extracted from local mount files or expanded event data. The change introduces context truncation, expands path filtering, and wires context lookups through the injection handlers while including new test coverage for thread-reply scenarios. ChangesSlack Inline Event Context
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Poem
Note 🎁 Summarized by CodeRabbit FreeYour organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login. Comment |
codeant-ai
Bot
added
the
size:L
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the integration event bridge to include local Slack message text and context (such as channel, timestamps, and user) directly within the injected system messages, while also filtering out temporary files from triggering notifications. The review identified two critical security vulnerabilities: an indirect prompt injection risk where unescaped Slack messages could prematurely close the event block, and a path traversal vulnerability in the path validation regex that could allow reading arbitrary local files.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| function truncateForSystemMessage(text: string, maxChars = MAX_INLINE_EVENT_TEXT_CHARS): string { | ||
| const normalized = text.trim() | ||
| return normalized.length > maxChars ? `${normalized.slice(0, maxChars)}...` : normalized | ||
| } |
There was a problem hiding this comment.
The Slack message text is injected directly into the system message within <integration-event> and </integration-event> tags. If a Slack message contains the closing tag </integration-event>, it can prematurely close the event block and inject arbitrary instructions to the LLM agent, leading to an Indirect Prompt Injection vulnerability.
To prevent this, sanitize the text by neutralizing or escaping any <integration-event> and </integration-event> tags before injecting them into the system message.
function truncateForSystemMessage(text: string, maxChars = MAX_INLINE_EVENT_TEXT_CHARS): string {
const normalized = text.trim()
const truncated = normalized.length > maxChars ? `${normalized.slice(0, maxChars)}...` : normalized
return truncated
.replace(/<\/integration-event>/gi, '[/integration-event]')
.replace(/<integration-event>/gi, '[integration-event]')
}| function slackEventContextPath(path: string): boolean { | ||
| return /^\/slack\/(?:channels|dms)\/[^/]+\/(?:messages|threads)\/.+\.json$/u.test(path) | ||
| } |
There was a problem hiding this comment.
The slackEventContextPath function uses a wildcard .+ at the end of the regular expression, which can match path traversal sequences like ../../. Since the matched path is later used in localPathForRemoteRoot to resolve and read local files via readFile, this creates a Path Traversal vulnerability. A malicious event could exploit this to read arbitrary JSON files on the local system.
To mitigate this, explicitly reject any paths containing directory traversal segments (.. or . limiters).
| function slackEventContextPath(path: string): boolean { | |
| return /^\/slack\/(?:channels|dms)\/[^/]+\/(?:messages|threads)\/.+\.json$/u.test(path) | |
| } | |
| function slackEventContextPath(path: string): boolean { | |
| if (path.split(/[\\/]/).some((seg) => seg === '..' || seg === '.')) return false | |
| return /^\/slack\/(?:channels|dms)\/[^/]+\/(?:messages|threads)\/.+\.json$/u.test(path) | |
| } |
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| const localPath = localPathForRemoteRoot(localMountWorkspaceId, path) | ||
| const raw = await readFile(localPath, 'utf8').catch(() => null) |
There was a problem hiding this comment.
Suggestion: The local context file path is built directly from event.resource.path segments and then read from disk without validating path traversal segments. If an event path contains .. segments, join(...) can escape the workspace root and read unintended files. Reject any segment equal to .. (and other unsafe segments) before constructing the local path. [security]
Severity Level: Critical 🚨
- ❌ Integration event bridge can read arbitrary local JSON paths.
- ⚠️ Slack inline context may expose unintended workspace or system data.Steps of Reproduction ✅
1. Set up an `IntegrationEventBridge` and reconcile a Slack integration so that
`reconcile()` in `src/main/integration-event-bridge.ts:153-259` subscribes to events and
associates a `localMountWorkspaceId` (as in the Slack inline-context test at
`src/main/__tests__/integration-event-bridge.test.ts:20-30`).
2. Cause a `ChangeEvent` to be emitted with `event.resource.provider === 'slack'` and a
path containing `..`, for example `event.resource.path =
'/slack/channels/C123/messages/../../../../../../etc/secret.json'`, which still matches
the `slackEventContextPath()` regex at `src/main/integration-event-bridge.ts:64-66`.
3. The subscription callback in `IntegrationEventBridge.reconcile()` at
`src/main/integration-event-bridge.ts:200-216` invokes `this.injectEvent(projectId, event,
specs, handle.localMountWorkspaceId)`, which in turn (after filtering and target
selection) calls `localEventContextLines(event, localMountWorkspaceId)` at
`src/main/integration-event-bridge.ts:335`.
4. Inside `localEventContextLines()` at `src/main/integration-event-bridge.ts:87-100`,
`localPath` is computed as `localPathForRemoteRoot(localMountWorkspaceId, path)` (line
771) which uses `pathSegments()` (lines 149-151) and `path.join()` in
`localPathForRemoteRoot()` (lines 64-66) without rejecting `..` segments; Node's `join()`
interprets `..` as parent-directory traversal, so `localPath` can resolve outside
`~/.agentworkforce/pear/relayfile/workspaces/<workspaceId>`, and `readFile(localPath,
'utf8')` (line 772) attempts to read that unintended file.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/main/integration-event-bridge.ts
**Line:** 771:772
**Comment:**
*Security: The local context file path is built directly from `event.resource.path` segments and then read from disk without validating path traversal segments. If an event path contains `..` segments, `join(...)` can escape the workspace root and read unintended files. Reject any segment equal to `..` (and other unsafe segments) before constructing the local path.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
|
Coordination note: a fix campaign is underway that touches this PR's area. Issue #82 (event/history sync overload — Tracks A–G, PR #98 open for Track A) and issue #99 (event delivery defects: doubled paths, tmp-file leaks, alias duplicate delivery, writeback self-echo) are being worked in parallel by dedicated agents. Relevant to this PR: the Slack thread inline event context work here intersects Track D (lazy context reads — event payloads carrying provider/resource/title context so agents don't need historical mounts). Fix notes will be posted on the issues as PRs land; rebase coordination is being handled in the agent-relay general channel. |
|
Reviewed PR #97 and made one targeted fix. I found that the new Slack local inline-context fallback could map a Relayfile event path containing Verified locally: Both passed locally. Build emitted existing Vite dynamic-import warnings, but no failures. |
|
✅ pr-reviewer applied fixes — committed and pushed Reviewed PR #97 and made one targeted fix. I found that the new Slack local inline-context fallback could map a Relayfile event path containing Verified locally: Both passed locally. Build emitted existing Vite dynamic-import warnings, but no failures. |
|
Reviewed PR #97 against the current checkout. I didn’t find any reproducible breakage or stale bot-review items to fix, so I left the PR code unchanged. Local verification passed:
|
|
ℹ️ pr-reviewer: review only — no file changes were applied to the PR (nothing to commit after review). The notes below are advisory and were not pushed. Reviewed PR #97 against the current checkout. I didn’t find any reproducible breakage or stale bot-review items to fix, so I left the PR code unchanged. Local verification passed:
|
kjgbot
force-pushed
the
fix/slack-thread-inline-event-context
branch
from
16278c0 to
d115e53
Compare
|
Fixed one validated issue in the current checkout: Slack local event record reads now reject Added a regression in integration-event-bridge.test.ts where an escaped local file with stale webhook metadata must not suppress delivery or leak inline text. Local validation passed:
|
|
✅ pr-reviewer applied fixes — committed and pushed Fixed a confirmed traversal issue in the Slack event bridge: local Slack event records now reject Updated the regression test so an escaped local file would suppress delivery if it were read, proving the guard applies before filtering as well as before inline context injection. Validated locally: |
kjgbot
force-pushed
the
fix/slack-thread-inline-event-context
branch
from
8d4eadc to
6992350
Compare
kjgbot
force-pushed
the
fix/slack-thread-inline-event-context
branch
from
6992350 to
b59a633
Compare
kjgbot
force-pushed
the
fix/slack-thread-inline-event-context
branch
from
b59a633 to
073e1d5
Compare
1 participant
User description
Summary
Why
Logs showed Slack thread replies are received and injected, but agents only got a path-oriented notification. This makes thread commands actionable without requiring the agent to first read the mounted record, and avoids noisy tmp-file injections from local mount writes.
Test plan
CodeAnt-AI Description
Show Slack thread details directly in event notifications and ignore transient temp files
What Changed
Impact
✅ Clearer Slack thread alerts✅ Faster replies to thread requests✅ Fewer noisy temp-file notifications🔄 Retrigger CodeAnt AI Review
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.