Skip to content

Harden temp writes in safe-output evaluation script#43054

Merged
pelikhan merged 8 commits into
mainfrom
copilot/uk-ai-resilience-fix-insecure-temp-file
Jul 3, 2026
Merged

Harden temp writes in safe-output evaluation script#43054
pelikhan merged 8 commits into
mainfrom
copilot/uk-ai-resilience-fix-insecure-temp-file

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

CodeQL flagged insecure temporary file creation in scripts/prepare-objective-impact-safe-output-evaluations.cjs. During review, this script was confirmed to be live code used by the active objective-impact-report workflow, so the fix keeps the behavior and removes the unsafe temp-file pattern.

  • Security fix

    • Replaced the ad hoc temp-file naming logic with a private temp directory created via fs.mkdtempSync(...).
    • Writes now occur inside that temp directory and are finalized with renameSync, avoiding predictable temp paths and reducing TOCTOU/symlink risk.
  • Script cleanup

    • Removed the now-unused crypto import.
    • Kept the helper scoped to the existing atomic-write path rather than changing surrounding workflow behavior.
  • Failure diagnostics

    • Split write and rename failure handling so errors identify which atomic-write step failed.
const tmpDir = fs.mkdtempSync(path.join(parentDir, `.${baseName}.tmp-`));
const tmpFile = path.join(tmpDir, baseName);

fs.writeFileSync(tmpFile, content);
fs.renameSync(tmpFile, filePath);

Copilot AI and others added 2 commits July 2, 2026 23:59
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix insecure temporary file creation in CI evaluation script Harden temp writes in safe-output evaluation script Jul 3, 2026
Copilot AI requested a review from pelikhan July 3, 2026 00:03
@pelikhan

pelikhan commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

@copilot inline script code into step in objective-impact-report and remove .js file.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
EXPR_GITHUB_REPOSITORY: ${{ github.repository }}
run: bash scripts/prepare-objective-impact-report-dataset.sh
run: |

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot use actions/github-script instead of shell

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in cabf5fc: the safe-output preparation step now uses actions/github-script instead of a shell heredoc, and I removed the redundant explicit github-token input.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot inline script code into step in objective-impact-report and remove .js file.

Addressed in 8c7ebf6: the safe-output evaluation code is now inlined in objective-impact-report, the standalone .cjs file was removed, and the workflow uses separate pre-agent steps for clearer logs.

Copilot AI and others added 2 commits July 3, 2026 00:46
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Triage Result

Field Value
Category bug (security)
Risk Medium
Priority Score 62/100
Score Breakdown Impact: 30 · Urgency: 20 · Quality: 12
Recommended Action fast_track

Batch: pr-batch:security-hardening (with 43057)

Rationale: CodeQL-flagged insecure temp file creation in active evaluation script. Behavior-preserving fix. Draft state and dirty merge state need resolution before merge.

Generated by 🔧 PR Triage Agent · 98.6 AIC · ⌖ 9.89 AIC · ⊞ 5.5K ·

Copilot AI review requested due to automatic review settings July 3, 2026 02:32
@pelikhan

pelikhan commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a CodeQL finding around insecure temporary file creation in the safe-output evaluation generation logic used by the objective-impact-report workflow. It preserves the existing behavior while switching the atomic-write implementation to use a private mkdtempSync(...) directory and renameSync(...) finalization.

Changes:

  • Removed scripts/prepare-objective-impact-safe-output-evaluations.cjs and moved the evaluation logic into the workflow as an actions/github-script pre-agent step.
  • Replaced ad hoc temp-file naming with fs.mkdtempSync(...) + renameSync(...), and improved error diagnostics by splitting write vs rename failures.
  • Updated the dataset prep script to stop invoking the removed Node script; updated the compiled .lock.yml accordingly.
Show a summary per file
File Description
scripts/prepare-objective-impact-safe-output-evaluations.cjs Removed standalone safe-output evaluation script (logic moved into workflow step).
scripts/prepare-objective-impact-report-dataset.sh Removed call to the deleted safe-output evaluation script.
.github/workflows/objective-impact-report.md Added a pre-agent actions/github-script step that generates safe-output issue evaluation outputs using hardened temp writes.
.github/workflows/objective-impact-report.lock.yml Regenerated compiled workflow to include the new pre-agent step and updated metadata hashes.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 0
  • Review effort level: Low

…nce-fix-insecure-temp-file

# Conflicts:
#	.github/workflows/objective-impact-report.lock.yml

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile

Addressed in a111a51: merged main into this branch and recompiled the workflow outputs.

@pelikhan pelikhan merged commit f0cb23b into main Jul 3, 2026
@pelikhan pelikhan deleted the copilot/uk-ai-resilience-fix-insecure-temp-file branch July 3, 2026 02:53
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address the unresolved review feedback in #43054 (comment) (use actions/github-script instead of shell), then rerun checks.

Generated by 👨‍🍳 PR Sous Chef · 13.7 AIC · ⌖ 16.4 AIC · ⊞ 6.4K ·

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

4 participants