Enhance upload safety with additional secret patterns and demo

Copilot · pelikhan · Copilot · commit 4aca9b70aef5 · 2025-09-20T10:00:12.000Z
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/packages/cli/genaisrc/system.safety_upload_assets.genai.mts b/packages/cli/genaisrc/system.safety_upload_assets.genai.mts
@@ -25,6 +25,10 @@ export default function (ctx: ChatGenerationContext) {
             /ghp_[A-Za-z0-9]{36}/g, // GitHub personal access tokens
             /ghs_[A-Za-z0-9]{36}/g, // GitHub server tokens
             /gho_[A-Za-z0-9]{36}/g, // GitHub OAuth tokens
+            /sk-[A-Za-z0-9]{48}/g, // OpenAI API keys
+            /AKIA[0-9A-Z]{16}/g, // AWS Access Key IDs
+            /xox[baprs]-[0-9a-zA-Z]{10,48}/g, // Slack tokens
+            /AIza[0-9A-Za-z\\-_]{35}/g, // Google API keys
         ]
 
         for (const pattern of secretPatterns) {
@@ -81,6 +85,9 @@ export default function (ctx: ChatGenerationContext) {
                     /ghs_[A-Za-z0-9]{36}/g, 
                     /gho_[A-Za-z0-9]{36}/g,
                     /sk-[A-Za-z0-9]{48}/g, // OpenAI API keys
+                    /AKIA[0-9A-Z]{16}/g, // AWS Access Key IDs
+                    /xox[baprs]-[0-9a-zA-Z]{10,48}/g, // Slack tokens
+                    /AIza[0-9A-Za-z\\-_]{35}/g, // Google API keys
                 ]
                 return secretPatterns.some(pattern => pattern.test(text))
             }
diff --git a/packages/sample/genaisrc/demo-upload-safety.genai.mts b/packages/sample/genaisrc/demo-upload-safety.genai.mts
@@ -0,0 +1,17 @@
+// Example demonstrating the upload asset safety system
+
+script({
+    title: "Demo: Upload Asset Safety",
+    system: ["system.safety_upload_assets"],
+})
+
+// This example shows how the safety system protects upload operations
+
+// 1. Safe upload (will add warning but allow operation)
+$`Create code that uploads a simple text file using github.uploadAsset`
+
+// 2. Unsafe upload with API key (will be blocked)
+$`Create code that uploads a file containing an API key like "sk-1234567890abcdef" using github.uploadAsset`
+
+// 3. Upload with proper validation
+$`Create code that validates file content for secrets before uploading with github.uploadAsset`

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,10 @@ export default function (ctx: ChatGenerationContext) {`
`25`	`25`	`/ghp_[A-Za-z0-9]{36}/g, // GitHub personal access tokens`
`26`	`26`	`/ghs_[A-Za-z0-9]{36}/g, // GitHub server tokens`
`27`	`27`	`/gho_[A-Za-z0-9]{36}/g, // GitHub OAuth tokens`
	`28`	`+ /sk-[A-Za-z0-9]{48}/g, // OpenAI API keys`
	`29`	`+ /AKIA[0-9A-Z]{16}/g, // AWS Access Key IDs`
	`30`	`+ /xox[baprs]-[0-9a-zA-Z]{10,48}/g, // Slack tokens`
	`31`	`+ /AIza[0-9A-Za-z\\-_]{35}/g, // Google API keys`
`28`	`32`	`]`
`29`	`33`
`30`	`34`	`for (const pattern of secretPatterns) {`
`@@ -81,6 +85,9 @@ export default function (ctx: ChatGenerationContext) {`
`81`	`85`	`/ghs_[A-Za-z0-9]{36}/g,`
`82`	`86`	`/gho_[A-Za-z0-9]{36}/g,`
`83`	`87`	`/sk-[A-Za-z0-9]{48}/g, // OpenAI API keys`
	`88`	`+ /AKIA[0-9A-Z]{16}/g, // AWS Access Key IDs`
	`89`	`+ /xox[baprs]-[0-9a-zA-Z]{10,48}/g, // Slack tokens`
	`90`	`+ /AIza[0-9A-Za-z\\-_]{35}/g, // Google API keys`
`84`	`91`	`]`
`85`	`92`	`return secretPatterns.some(pattern => pattern.test(text))`
`86`	`93`	`}`