Skip to content

Fix path traversal vulnerability and add build/lint convenience scripts#65

Merged
Malcolmnixon merged 5 commits intomainfrom
copilot/fix-project-issues
Feb 11, 2026
Merged

Fix path traversal vulnerability and add build/lint convenience scripts#65
Malcolmnixon merged 5 commits intomainfrom
copilot/fix-project-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 11, 2026
edited
Loading

Pull Request

Description

Systematic repository analysis revealed a critical path traversal vulnerability and missing convenience scripts for local development workflow.

Security Fix

PathHelpers.cs - Path traversal bypass in defense-in-depth validation:

// BEFORE: Vulnerable to similar directory names
if (!fullCombinedPath.StartsWith(fullBasePath, StringComparison.OrdinalIgnoreCase))

// Attack: basePath="/project" + relativePath="ion/evil" → "/projection/evil" ✓ passes

// AFTER: Robust validation
var relativeCheck = Path.GetRelativePath(fullBasePath, fullCombinedPath);
if (relativeCheck.StartsWith("..") || Path.IsPathRooted(relativeCheck))

Template Alignment

  • Build/Lint Scripts: Added build.{sh,bat} and lint.{sh,bat} for local development workflow

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Code quality improvement

Related Issues

Pre-Submission Checklist

Before submitting this pull request, ensure you have completed the following:

Build and Test

  • Code builds successfully: dotnet build --configuration Release
  • All tests pass: dotnet test --configuration Release
  • Code produces zero warnings

Code Quality

  • Code formatting is correct: dotnet format --verify-no-changes
  • New code has appropriate XML documentation comments
  • Static analyzer warnings have been addressed

Quality Checks

Please run the following checks before submitting:

  • Spell checker passes: cspell "**/*.{md,cs}"
  • Markdown linter passes: markdownlint "**/*.md"
  • YAML linter passes: yamllint '**/*.{yml,yaml}' (requires yamllint installation)

Testing

  • Added unit tests for new functionality
  • Updated existing tests if behavior changed
  • All tests follow the AAA (Arrange, Act, Assert) pattern
  • Test coverage is maintained or improved

Documentation

  • Updated README.md (if applicable)
  • Updated ARCHITECTURE.md (if applicable)
  • Added code examples for new features (if applicable)
  • Updated requirements.yaml (if applicable)

Additional Notes

Changes identified via repo-consistency-agent and code-quality-agent. All 127 unit tests + 4 self-validation tests pass. Agent report files remain local only (excluded via .gitignore).

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits February 11, 2026 11:50
@Malcolmnixon
Fix PathHelpers security vulnerability and add build/lint scripts
c7f7e2a 
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
@Malcolmnixon
Add missing sections to README (Building from Source, Project Structu…
ca3033f 
…re, CI/CD Pipeline)

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
@Malcolmnixon
Fix path traversal vulnerability and duplicate README heading
30b5c50 
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix issues discovered during project consistency check Fix path traversal vulnerability and align with template standards Feb 11, 2026
Copilot AI requested a review from Malcolmnixon February 11, 2026 11:59
Malcolmnixon
Malcolmnixon requested changes Feb 11, 2026
View reviewed changes
README.md Outdated
[View Full Changelog](https://github.com/owner/repo/compare/v1.2.0...v1.2.3)
```

## Building from Source
Copy link
Copy Markdown
Member

@Malcolmnixon Malcolmnixon Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The README.md is getting too long and loaded with stuff not necessary for users. Please remove the following new sections:

  • Building from Source
  • Project Structure
  • CI/CD Pipeline

These will be handled in separate documents.

Copy link
Copy Markdown
Contributor Author

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the three sections (Building from Source, Project Structure, CI/CD Pipeline) from README.md in commit 434dbc7.

@Malcolmnixon
Remove Building from Source, Project Structure, and CI/CD Pipeline se…
434dbc7 
…ctions from README

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
Copilot AI changed the title Fix path traversal vulnerability and align with template standards Fix path traversal vulnerability and add build/lint convenience scripts Feb 11, 2026
Copilot AI requested a review from Malcolmnixon February 11, 2026 12:08
@Malcolmnixon Malcolmnixon marked this pull request as ready for review February 11, 2026 12:20
@Malcolmnixon Malcolmnixon merged commit 2ffdec8 into main Feb 11, 2026
11 checks passed
@Malcolmnixon Malcolmnixon deleted the copilot/fix-project-issues branch February 11, 2026 12:30
This was referenced Feb 18, 2026
Merged
Merged
Copilot AI mentioned this pull request Mar 30, 2026
Merged
21 tasks
Copilot AI added a commit that referenced this pull request Mar 30, 2026
@Malcolmnixon
chore: apply template consistency updates from PRs #65-#77
ba4370a 
- Rename agent files to match template naming convention (.agent.md suffix)
  - requirements-agent.md → requirements.agent.md
  - software-developer.md → software-developer.agent.md
  - technical-writer.md → technical-writer.agent.md
  - test-developer.md → test-developer.agent.md
- Add tools: frontmatter field to agent files (PR #73)
  - code-review.agent.md: tools: [read, search, edit, execute, github, web, agent]
  - repo-consistency.agent.md: tools: [read, search, edit, execute, github, agent]
  - requirements.agent.md: tools: [read, search, edit, execute, github, web, agent]
  - software-developer.agent.md: tools: [read, search, edit, execute, github, agent]
  - technical-writer.agent.md: tools: [read, search, edit, execute, github, agent]
  - test-developer.agent.md: tools: [read, search, edit, execute, github, agent]
- Update AGENTS.md to align with template
  - Rename 'Project Structure' section to 'Project Structure Template'
  - Update 'Continuous Compliance Requirements' section ending to match template

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
Malcolmnixon added a commit that referenced this pull request Mar 30, 2026
@Malcolmnixon
Add latest repo-consistency agent and apply TemplateDotNetTool improv…
7591654 
…ements (PRs #61#77) (#115)

* Initial plan

* Apply template improvements: new agents, standards, .gitattributes, AGENTS.md update

Agent-Logs-Url: https://github.com/demaconsulting/BuildMark/sessions/eef5ccc5-e481-4a3a-9c1f-5be3d92eedea

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Fix AGENTS.md gaps vs template, update technical-documentation.md paths, fix .cspell.json pattern

Agent-Logs-Url: https://github.com/demaconsulting/BuildMark/sessions/d10b0427-1ebb-4771-9ec1-223de918aa66

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Apply template changes from TemplateDotNetTool PRs #61-#77

Port the following changes from the template:

PR #61: Linting modernization
- Convert .cspell.json to .cspell.yaml with header comments and improved ignorePaths
- Convert .markdownlint-cli2.jsonc to .markdownlint-cli2.yaml with header, noBanner, noProgress
- Update lint.sh to use Python venv, lint_error variable, no emojis, expanded file extensions
- Update lint.bat to use Python venv, LINT_ERROR variable, expanded file extensions
- Add pip-requirements.txt with yamllint==1.38.0
- Add cspell and markdownlint-cli2 to package.json devDependencies
- Add .venv/ to .gitignore

PR #64: Align lint YAML configs
- Update .yamllint.yaml with header comments, DO NOT MODIFY policy,
  expanded ignore section (thirdparty, third-party, 3rd-party, .agent-logs/)
  and remove check-keys from truthy rule

PR #75: Formalize build_notes artifact handling
- Remove 'Move buildnotes.md to root' step from release.yaml
- Use artifacts/buildnotes.md directly as release body file

PR #77: Port markdown format requirements section
- Update .github/standards/technical-documentation.md reference from
  .markdownlint-cli2.jsonc to .markdownlint-cli2.yaml

Additional updates:
- Update AGENTS.md references from .cspell.json to .cspell.yaml
  and .markdownlint-cli2.jsonc to .markdownlint-cli2.yaml
- Update CONTRIBUTING.md spell checking section to reference .cspell.yaml
  and use ./lint.sh instead of individual lint commands

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Changes before error encountered

Agent-Logs-Url: https://github.com/demaconsulting/BuildMark/sessions/a338e6d6-893c-4cbd-a64b-01abce243e9d

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* chore: apply template consistency updates from PRs #65-#77

- Rename agent files to match template naming convention (.agent.md suffix)
  - requirements-agent.md → requirements.agent.md
  - software-developer.md → software-developer.agent.md
  - technical-writer.md → technical-writer.agent.md
  - test-developer.md → test-developer.agent.md
- Add tools: frontmatter field to agent files (PR #73)
  - code-review.agent.md: tools: [read, search, edit, execute, github, web, agent]
  - repo-consistency.agent.md: tools: [read, search, edit, execute, github, agent]
  - requirements.agent.md: tools: [read, search, edit, execute, github, web, agent]
  - software-developer.agent.md: tools: [read, search, edit, execute, github, agent]
  - technical-writer.agent.md: tools: [read, search, edit, execute, github, agent]
  - test-developer.agent.md: tools: [read, search, edit, execute, github, agent]
- Update AGENTS.md to align with template
  - Rename 'Project Structure' section to 'Project Structure Template'
  - Update 'Continuous Compliance Requirements' section ending to match template

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Remove agent files deleted from template in PR #76, update AGENTS.md

Agent-Logs-Url: https://github.com/demaconsulting/BuildMark/sessions/80d99477-7c8a-469b-885d-da5c47aac27a

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Update THEORY-OF-OPERATIONS.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update technical-documentation.md to exactly match template

Agent-Logs-Url: https://github.com/demaconsulting/BuildMark/sessions/61323e76-70ab-4b09-a70b-a97fa1132013

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
Co-authored-by: Malcolm Nixon <Malcolm.nixon@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Malcolmnixon Malcolmnixon Malcolmnixon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Malcolmnixon Malcolmnixon

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Malcolmnixon