🛡️ Sentinel: [HIGH] Fix regex newline injection and broken publish exclusion#108
🛡️ Sentinel: [HIGH] Fix regex newline injection and broken publish exclusion#108calionauta wants to merge 1 commit into
Conversation
…clusion - Hardened internal skill name validators in `local_source.py` and `external_source.py` by replacing `$` with `\Z` to prevent newline injection. - Refactored `_ignore_func` in `git_publish.py` to use `fnmatch.fnmatchcase` for robust file exclusion, preventing potential data leaks of sensitive files like `sessions` and `cache` during public publishing. - Added regression tests in `tests/test_sentinel_fixes.py`. - Updated `.jules/sentinel.md` with new security learnings. Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Code Review
This pull request addresses security vulnerabilities by replacing $ with \Z in skill name validation regexes to prevent newline injection, and refactoring the custom ignore logic in git_publish.py to use fnmatch.fnmatchcase. It also adds a test suite to verify these fixes. The review feedback suggests enhancing the ignore logic to be case-insensitive to prevent sensitive files with alternative casing (e.g., .ENV) from bypassing the filter, along with adding corresponding test cases.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if name == pattern or name.startswith(pattern.rstrip('/') + '/'): | ||
| ignored.append(name) | ||
| break | ||
| if fnmatch.fnmatchcase(name, pattern): |
There was a problem hiding this comment.
Using fnmatch.fnmatchcase performs a strictly case-sensitive match. If a user or system creates sensitive files or directories with different casing (e.g., .ENV, Models.json, or Cache), they will bypass this ignore filter and potentially be leaked to the public repository.
To prevent accidental leakage, it is safer to perform case-insensitive matching by converting both the name and the pattern to lowercase.
| if fnmatch.fnmatchcase(name, pattern): | |
| if fnmatch.fnmatchcase(name.lower(), pattern.lower()): |
| assert "sessions" in ignore(None, ["sessions"]) | ||
| assert "cache" in ignore(None, ["cache"]) | ||
| assert "models.json" in ignore(None, ["models.json"]) | ||
| assert ".env" in ignore(None, [".env"]) | ||
| assert "test.log" in ignore(None, ["test.log"]) |
There was a problem hiding this comment.
If case-insensitive matching is adopted in _ignore_func, we should also add test cases to verify that variations in casing (such as .ENV or Models.json) are correctly ignored.
| assert "sessions" in ignore(None, ["sessions"]) | |
| assert "cache" in ignore(None, ["cache"]) | |
| assert "models.json" in ignore(None, ["models.json"]) | |
| assert ".env" in ignore(None, [".env"]) | |
| assert "test.log" in ignore(None, ["test.log"]) | |
| assert "sessions" in ignore(None, ["sessions"]) | |
| assert "SESSIONS" in ignore(None, ["SESSIONS"]) | |
| assert "cache" in ignore(None, ["cache"]) | |
| assert "Cache" in ignore(None, ["Cache"]) | |
| assert "models.json" in ignore(None, ["models.json"]) | |
| assert "Models.json" in ignore(None, ["Models.json"]) | |
| assert ".env" in ignore(None, [".env"]) | |
| assert ".ENV" in ignore(None, [".ENV"]) | |
| assert "test.log" in ignore(None, ["test.log"]) | |
| assert "TEST.LOG" in ignore(None, ["TEST.LOG"]) |
🚨 Severity: HIGH
💡 Vulnerability:
$anchor, which allows trailing newlines in Python'sremodule. This could lead to argument or command injection if these names were used in shell commands._ignore_funcused to filter sensitive files during public publishing had brittle logic that failed to match most default patterns (e.g.,sessions,cache,models.json).🎯 Impact:
agent-sync shareprocess.🔧 Fix:
$with\Zin all identified internal validators.fnmatch.fnmatchcasefor reliable glob-style matching.✅ Verification:
tests/test_sentinel_fixes.pyspecifically verifies both fixes.tests/test_security.pypass._ignore_funcfix with a reproduction script.PR created automatically by Jules for task 11424395249717937625 started by @renatocaliari