release: v0.1.6#96
Conversation
- Add CRITICAL CONSTRAINTS section to prevent file path hallucination - Add explicit severity level definitions with examples - Add 'suggestion' as valid issue_type - Emphasize 'no markdown code fences' in both prompts - Reference: old cora TS repo anti-hallucination patterns Closes #95
- Add extract_file_paths_from_diff() to parse diff headers - Inject 'Valid files in this diff:' list into review user prompt - Add post-parse filtering of issues with invalid file paths in review.rs - Add is_valid_file_path() with exact + partial match heuristic - Add 7 new tests (file path extraction, prompt injection, dedup, /dev/null) Anti-hallucination: LLM can now see exactly which files are valid, and issues referencing non-existent files are filtered out post-parse. Closes #93
- Refactor extract_file_paths_from_diff: early return pattern, no loop over prefixes (fixes overly broad matching of '--- ' prefix) - Tighten is_valid_file_path: require '.' in suffix match to avoid matching single-char paths like 'a' or 'b' - Addresses cora review findings (major x2)
- Extract basename from issue file path and compare against valid file basenames - Prevents false matches like '.rs' matching 'main.rs'
Simplify to exact match — fuzzy matching introduces false positives. The prompt now includes 'Valid files in this diff:' list so the LLM should use those exact paths.
- Add ReviewSection and ScanSection to CoraFile schema - Add response_format, review/scan system_prompt fields to Config - Wire response_format to LLM API calls (chat_completion and streaming) - Support custom system_prompt and system_prompt_file for review and scan - Update all callers in review.rs, scan.rs, and llm.rs Refs #92 #94
- Config defaults for new fields (response_format, prompt overrides) - ReviewSection YAML parsing and merge (response_format, system_prompt, file) - ScanSection YAML parsing and merge - Full config file with both review and scan sections - resolve_system_prompt priority logic (inline > file > none) - system_prompt_file resolution from disk - Missing file handling (returns None, logs warning) Refs #92 #94
- Canonicalize path and check it's within project root (CWD) - Block paths outside project root (e.g. /etc/shadow, ../../.env) - Fix test to use project-local file instead of temp dir - Add test for path traversal rejection Addresses cora review finding: MAJOR arbitrary file read via config. Security: prevents secret leakage through malicious .cora.yaml commits.
- Replace .ok()? with explicit match for canonicalize error - Log debug message when file doesn't exist (intended behavior) - Remove accidentally duplicated project_root line
Both the file path and project root are now canonicalized before comparison, preventing potential bypass via symlinked project root components. Addresses cora review finding: symlink bypass in path traversal guard.
Added: - Custom system prompts via .cora.yaml config (#94) - response_format: json_object opt-in (#92) - File path injection into review prompts (#93) - Post-parse file path filtering (#93) - Enhanced default system prompts (#95) Fixed: - Path traversal in system_prompt_file (#92) - Symlink bypass in path traversal guard
|
Warning Review limit reached
More reviews will be available in 42 minutes and 14 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔍 Cora AI Code Review❌ Blocked — critical issues found. 🔴 Error (3)
However, there's a TOCTOU issue: the canonicalization and the read happen at different times. An attacker could replace a valid file with a symlink between the check and the read.
Review powered by cora-cli · BYOK · MIT |
v0.1.6 Release
Added
Fixed
Stats