Skip to content

Comments

Fix placeholder content, payloadPath security, schema mismatch, and session init robustness#333

Merged
pethers merged 1 commit intocopilot/news-2026-02-19-v2-2f1ee22a2bc0c0c2from
copilot/sub-pr-326
Feb 19, 2026
Merged

Fix placeholder content, payloadPath security, schema mismatch, and session init robustness#333
pethers merged 1 commit intocopilot/news-2026-02-19-v2-2f1ee22a2bc0c0c2from
copilot/sub-pr-326

Conversation

Copy link
Contributor

Copilot AI commented Feb 19, 2026

PR #326 review identified incomplete AI-generated article stubs, a path traversal vulnerability, inconsistent error handling, and a schema drift between the metadata file and its writer.

Placeholder content (10 language files)

news/2026-02-19-opposition-motions-{ar,de,es,fi,fr,he,ja,ko,nl,zh}.html — Political Analysis and Outlook sections contain <p>...</p> stubs. Replaced with full translated content matching the English source.

Security: payloadPath path traversal (mcp-client.js:568)

Server-controlled payloadPath was passed directly to fs.readFileSync with no validation — arbitrary local file read. Fixed by resolving and validating the path is within an allow-listed directory before reading:

const ALLOWED_PAYLOAD_DIR = path.resolve('/tmp/mcp-payloads');
const resolvedPath = path.resolve(parsed.payloadPath);
if (!resolvedPath.startsWith(ALLOWED_PAYLOAD_DIR + path.sep)) {
  throw new Error(`Unsafe payloadPath rejected: ${parsed.payloadPath}`);
}

Case-insensitive 'Too Many Requests' check (mcp-client.js:547)

Session re-init check used errorMsg.includes('Too Many Requests') (mixed case) while the catch block already used .toLowerCase(). Normalized to .toLowerCase().includes('too many requests').

Metadata schema drift (generate-news-enhanced.js:751)

last-generation.json was written with old keys (timestamp, types, languagesGenerated) while the file on disk uses the new schema (lastGeneration, articleTypes, articlesGenerated). Updated the writer to emit the current schema.

initializeSession() — unguarded notifications/initialized fetch (mcp-client.js:699)

Second fetch call had no signal (could hang) and no response.ok check (silent failure). Added controller.signal and a warning log on non-2xx response.


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Add 42 news articles for 2026-02-19 Fix placeholder content, payloadPath security, schema mismatch, and session init robustness Feb 19, 2026
Copilot AI requested a review from pethers February 19, 2026 16:20
@pethers pethers marked this pull request as ready for review February 19, 2026 16:24
@pethers pethers merged commit c53497c into copilot/news-2026-02-19-v2-2f1ee22a2bc0c0c2 Feb 19, 2026
1 check passed
@pethers pethers deleted the copilot/sub-pr-326 branch February 19, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants