Skip to content

Suppress CodeQL js/http-to-file-access in ensure-docs-slide-pdf.js with explicit trust-boundary rationale#43049

Merged
pelikhan merged 2 commits into
mainfrom
copilot/uk-ai-resilience-review-network-data-to-file-write
Jul 2, 2026
Merged

Suppress CodeQL js/http-to-file-access in ensure-docs-slide-pdf.js with explicit trust-boundary rationale#43049
pelikhan merged 2 commits into
mainfrom
copilot/uk-ai-resilience-review-network-data-to-file-write

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

CodeQL flagged scripts/ensure-docs-slide-pdf.js for writing network-derived bytes to disk (js/http-to-file-access, CWE-434/912). This PR documents the intended trust boundary and why the write path is constrained rather than changing runtime behavior.

  • Security annotation at sink

    • Added an inline codeql[js/http-to-file-access] suppression on the fs.writeFileSync call.
    • The annotation explicitly states the upstream controls already enforced before the write: fixed GitHub media source, content-type checks, payload size limits, and PDF signature validation.
  • Behavioral impact

    • No logic changes to download/write flow.
    • Change is scoped to scanner-facing documentation of an already-validated path.
// codeql[js/http-to-file-access]: readPdfBytes() only downloads from a fixed GitHub media URL and validates content type, size, and PDF signature before this write.
fs.writeFileSync(OUTPUT_PATH, pdfBytes);

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Review network-data-to-file write in ensure-docs-slide-pdf.js Suppress CodeQL js/http-to-file-access in ensure-docs-slide-pdf.js with explicit trust-boundary rationale Jul 2, 2026
Copilot AI requested a review from pelikhan July 2, 2026 23:50
@pelikhan pelikhan marked this pull request as ready for review July 2, 2026 23:54
Copilot AI review requested due to automatic review settings July 2, 2026 23:54
@pelikhan pelikhan merged commit 98d108e into main Jul 2, 2026
57 of 76 checks passed
@pelikhan pelikhan deleted the copilot/uk-ai-resilience-review-network-data-to-file-write branch July 2, 2026 23:54
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. Test Quality Sentinel skipped.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an inline CodeQL suppression comment to scripts/ensure-docs-slide-pdf.js at the file-write sink, documenting why writing downloaded bytes to disk is considered an acceptable trust boundary for this script.

Changes:

  • Adds a codeql[js/http-to-file-access] suppression comment above fs.writeFileSync.
  • Documents the intended upstream validations (content-type, size limit, PDF signature check) as the rationale for the suppression.
Show a summary per file
File Description
scripts/ensure-docs-slide-pdf.js Adds an inline CodeQL suppression comment with rationale for a network-bytes-to-disk write.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1
  • Review effort level: Low

async function main() {
const pdfBytes = await readPdfBytes();
fs.mkdirSync(path.dirname(OUTPUT_PATH), { recursive: true });
// codeql[js/http-to-file-access]: readPdfBytes() only downloads from a fixed GitHub media URL and validates content type, size, and PDF signature before this write.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: CodeQL js/http-to-file-access suppression

The suppression annotation is well-placed and accurately describes the trust-boundary controls enforced before the fs.writeFileSync sink:

  • Fixed source URLmedia.githubusercontent.com with a github.com-constrained repository path (regex-validated, with hardcoded github/gh-aw fallback).
  • Size guard — 50 MB enforced on both Content-Length header and post-download buffer.
  • PDF signature checkisPdf() (%PDF- magic bytes) is the real validation gate and correctly catches non-PDFs regardless of content-type claims.
Minor observation (non-blocking)

The comment says "validates content type", but application/octet-stream is a generic binary type that carries no semantic PDF guarantee. The isPdf() magic-bytes check is the actual validator. The annotation is accurate in aggregate, but a more precise phrasing would be:

// codeql[js/http-to-file-access]: readPdfBytes() only downloads from a fixed GitHub media URL and
// validates payload size and PDF magic bytes (%PDF-) before this write.

This is a documentation-quality nit only — the security controls are sound.

No blocking issues.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 22.1 AIC · ⌖ 6.51 AIC · ⊞ 4.9K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /grill-with-docs — requesting changes on two documentation accuracy issues in the suppression comment.

📋 Key Themes & Highlights

Key Themes

  • Inaccurate trust-boundary description: The comment says "fixed GitHub media URL" but the URL path is dynamically built from the git remote and current SHA — only the host is fixed. The rationale needs to accurately describe what is actually constant.
  • Overstated validation strength: The comment says "PDF signature validation" but isPdf() is a 5-byte magic-byte check (%PDF-), not a cryptographic signature. Precise language matters in security annotations that will be relied upon by future reviewers and scanner suppressions.

Positive Highlights

  • ✅ The placement of the suppression comment is exactly right — it sits at the sink, immediately after all validations, which is the correct spot.
  • ✅ The PR body gives a clear and helpful explanation of the intent.
  • ✅ The existing validation chain (content-type, size limit, magic bytes) is solid and the suppression is justified on its merits — the rationale just needs precise wording.
  • ✅ No runtime behaviour changes — this is a pure documentation-only PR, which is the appropriate way to handle scanner annotations.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 31.4 AIC · ⌖ 7.29 AIC · ⊞ 6.6K
Comment /matt to run again

async function main() {
const pdfBytes = await readPdfBytes();
fs.mkdirSync(path.dirname(OUTPUT_PATH), { recursive: true });
// codeql[js/http-to-file-access]: readPdfBytes() only downloads from a fixed GitHub media URL and validates content type, size, and PDF signature before this write.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The suppression rationale claims a "fixed GitHub media URL" but the URL path is dynamically constructed — the owner/repo segment comes from git config remote.origin.url (line ~29) and the ref from GITHUB_SHA or git rev-parse HEAD. The URL host (media.githubusercontent.com) is fixed, but the full URL is not. The comment overstates the fixedness of the source.

💡 Suggested improvement

Option A — Make the comment accurate without code changes:

// codeql[js/http-to-file-access]: Download host is always media.githubusercontent.com;
// path is derived from the current repo remote and git ref. Content-type,
// payload size (<50 MB), and PDF magic-byte validation are applied before this write.

Option B — Make the URL truly fixed by removing the dynamic repo-path lookup and hardcoding github/gh-aw (the fallback already used when git remote is unavailable).

@copilot please address this.

async function main() {
const pdfBytes = await readPdfBytes();
fs.mkdirSync(path.dirname(OUTPUT_PATH), { recursive: true });
// codeql[js/http-to-file-access]: readPdfBytes() only downloads from a fixed GitHub media URL and validates content type, size, and PDF signature before this write.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The rationale mentions "PDF signature validation" but isPdf() only checks the first 5 bytes (%PDF-). This is magic-byte detection, not cryptographic signature validation. The comment's stronger phrasing could mislead future reviewers about the strength of the check.

💡 Suggested improvement

Use more precise language in the suppression comment:

// codeql[js/http-to-file-access]: readPdfBytes() only downloads from media.githubusercontent.com
// and validates content-type, payload size (<50 MB), and PDF magic-byte header before this write.

Replacing "PDF signature validation" with "PDF magic-byte header" is accurate and still conveys that a format check is in place.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Post-merge review

Change is a single-line CodeQL suppression comment — no logic altered. The only substantive concern is already captured in the existing inline thread: the comment claims a fixed GitHub media URL, but only the host (media.githubusercontent.com) is fixed; the path is composed dynamically from repositoryPath and ref.

💡 Full analysis notes

readPdfBytes() has three return paths; js/http-to-file-access only fires on network-derived bytes, so paths 1 (local file) and 3 (placeholder) are not alert targets. The annotation is correctly scoped to the path CodeQL cares about. The word "fixed" is the only inaccuracy, and it is already addressed in the inline review thread by copilot-pull-request-reviewer[bot].

GITHUB_SHA in a GitHub Actions runner is set by runner infrastructure, not by arbitrary workflow input, so ref being user-controlled is not a new risk introduced by this change.

Verdict: No blocking issues beyond the already-documented annotation wording. The existing thread suggestion ("fixed GitHub media host scoped to the current repo/ref") is the correct follow-up.

🔎 Code quality review by PR Code Quality Reviewer · 59.5 AIC · ⌖ 7.49 AIC · ⊞ 5.4K
Comment /review to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[uk-ai-resilience] [security] Review network-data-to-file write in ensure-docs-slide-pdf.js (CodeQL #636, CWE-434/912)

3 participants