Skip to content

fix: workspace-relative read paths for view tool + awk in go-source-analysis #39958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 4 commits into from
Jun 18, 2026
Merged

fix: workspace-relative read paths for view tool + awk in go-source-analysis #39958

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
31b704a
Initial plan
Copilot Jun 18, 2026
20a7d13
fix: allow workspace-relative read paths and add awk to go-source-ana…
Copilot Jun 18, 2026
cb86527
fix: clean up JSDoc comment escaping in isReadPathAllowedByShellRules
Copilot Jun 18, 2026
0a18175
Merge branch 'main' into copilot/daily-compiler-quality-check
pelikhan Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/daily-compiler-quality.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/duplicate-code-detector.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions .github/workflows/semantic-function-refactor.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions .github/workflows/shared/go-source-analysis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ tools:
- head -n * pkg/**/*.go
- grep -r "func " pkg --include="*.go"
- cat pkg/**/*.go
- awk
Comment on lines 12 to +15

@github-actions github-actions Bot Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/zoom-out] Every other bash entry in this file scopes its path — cat pkg/**/*.go, wc -l pkg/**/*.go, grep -r "func " pkg .... The bare awk entry grants the command with no argument restriction, so an agent could invoke awk '{print}' /etc/shadow and the shell permission would be approved (file-read permission is a separate gate, but defence-in-depth argues for scoping here too).

💡 Suggestion: scope awk to pkg files 
- awk '{...}' pkg/**/*.go   # or the most common expected form

If the expected use is function-length counting across all Go files, awk -F '' '{...}' pkg/**/*.go would be more precise and consistent with the other entries.

@github-actions github-actions Bot Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awk breaks the scoped-only convention of this shared component: every other tool listed here is path-restricted to pkg/; bare awk is unrestricted and can read any sandbox-accessible file or invoke shell commands via system().

💡 Analysis and suggestion

All prior entries in this shared workflow are scoped:

- wc -l pkg/**/*.go
- head -n * pkg/**/*.go
- grep -r "func " pkg --include="*.go"
- cat pkg/**/*.go

GNU awk is fundamentally different — it can read arbitrary files (awk '{print}' /tmp/gh-aw/cache-memory/file) and execute shell commands (awk 'BEGIN{system("env")}' /dev/null). The compiled lock files happen to include unrestricted shell(cat) from other shared components, so the practical containment boundary does not change. But this shared component silently widens its contract for all 4 importing workflows without documentation.

Preferred alternative if awk is only needed for Go source analysis:

  - awk pkg/**/*.go

That pattern is consistent with the rest of the list and is the form extractReadablePathPatternsFromShellRule would recognise as path-scoped (though that function currently only handles cat, xargs+cat, and ls prefixes, so an awk path restriction would not gate the SDK view permission handler either way).

---
## Go Source Code Analysis Setup

Expand Down
Loading
Loading