Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions scripts/ensure-docs-slide-pdf.js
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ async function readPdfBytes() {
async function main() {
const pdfBytes = await readPdfBytes();
fs.mkdirSync(path.dirname(OUTPUT_PATH), { recursive: true });
// codeql[js/http-to-file-access]: readPdfBytes() only downloads from a fixed GitHub media URL and validates content type, size, and PDF signature before this write.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The suppression rationale claims a "fixed GitHub media URL" but the URL path is dynamically constructed — the owner/repo segment comes from git config remote.origin.url (line ~29) and the ref from GITHUB_SHA or git rev-parse HEAD. The URL host (media.githubusercontent.com) is fixed, but the full URL is not. The comment overstates the fixedness of the source.

💡 Suggested improvement

Option A — Make the comment accurate without code changes:

// codeql[js/http-to-file-access]: Download host is always media.githubusercontent.com;
// path is derived from the current repo remote and git ref. Content-type,
// payload size (<50 MB), and PDF magic-byte validation are applied before this write.

Option B — Make the URL truly fixed by removing the dynamic repo-path lookup and hardcoding github/gh-aw (the fallback already used when git remote is unavailable).

@copilot please address this.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The rationale mentions "PDF signature validation" but isPdf() only checks the first 5 bytes (%PDF-). This is magic-byte detection, not cryptographic signature validation. The comment's stronger phrasing could mislead future reviewers about the strength of the check.

💡 Suggested improvement

Use more precise language in the suppression comment:

// codeql[js/http-to-file-access]: readPdfBytes() only downloads from media.githubusercontent.com
// and validates content-type, payload size (<50 MB), and PDF magic-byte header before this write.

Replacing "PDF signature validation" with "PDF magic-byte header" is accurate and still conveys that a format check is in place.

@copilot please address this.

fs.writeFileSync(OUTPUT_PATH, pdfBytes);
console.log(`✓ Slide PDF ready at ${OUTPUT_PATH}`);
}
Expand Down
Loading