From 269b3a280d12014044db86ea04b33c6f5dfeba0e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 4 Nov 2025 15:15:38 +0000 Subject: [PATCH 1/4] Initial plan From d1c473814bc89fe31071bc2abfbe3aa9d5b11af5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 4 Nov 2025 15:35:42 +0000 Subject: [PATCH 2/4] Add GitHub domain extraction from environment variables - Add GITHUB_SERVER_URL and GITHUB_API_URL environment variables to sanitization step - Update sanitize.cjs to extract and allow GitHub domains from environment - Add extractDomainsFromUrl helper function to parse GitHub URLs - Update tests to handle GitHub environment variables properly - Ensure GitHub domains are always allowed in addition to configured domains Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 34 +++++++++- .github/workflows/audit-workflows.lock.yml | 34 +++++++++- .github/workflows/blog-auditor.lock.yml | 34 +++++++++- .github/workflows/brave.lock.yml | 66 ++++++++++++++++++- .github/workflows/changeset.lock.yml | 66 ++++++++++++++++++- .github/workflows/ci-doctor.lock.yml | 34 +++++++++- .../workflows/cli-version-checker.lock.yml | 34 +++++++++- .../commit-changes-analyzer.lock.yml | 34 +++++++++- .../workflows/copilot-agent-analysis.lock.yml | 34 +++++++++- .../copilot-pr-prompt-analysis.lock.yml | 34 +++++++++- .../copilot-session-insights.lock.yml | 34 +++++++++- .github/workflows/craft.lock.yml | 66 ++++++++++++++++++- .github/workflows/daily-doc-updater.lock.yml | 34 +++++++++- .../workflows/daily-firewall-report.lock.yml | 34 +++++++++- .github/workflows/daily-news.lock.yml | 34 +++++++++- .../workflows/daily-perf-improver.lock.yml | 34 +++++++++- .../workflows/daily-repo-chronicle.lock.yml | 34 +++++++++- .../workflows/daily-test-improver.lock.yml | 34 +++++++++- .github/workflows/dev-hawk.lock.yml | 34 +++++++++- .github/workflows/dev.lock.yml | 34 +++++++++- .github/workflows/dictation-prompt.lock.yml | 34 +++++++++- .../duplicate-code-detector.lock.yml | 34 +++++++++- .../example-workflow-analyzer.lock.yml | 34 +++++++++- .../github-mcp-tools-report.lock.yml | 34 +++++++++- .github/workflows/go-logger.lock.yml | 34 +++++++++- .../workflows/go-pattern-detector.lock.yml | 34 +++++++++- .../workflows/instructions-janitor.lock.yml | 34 +++++++++- .github/workflows/issue-classifier.lock.yml | 66 ++++++++++++++++++- .github/workflows/lockfile-stats.lock.yml | 34 +++++++++- .github/workflows/mcp-inspector.lock.yml | 34 +++++++++- .github/workflows/mergefest.lock.yml | 34 +++++++++- .../workflows/notion-issue-summary.lock.yml | 34 +++++++++- .github/workflows/pdf-summary.lock.yml | 66 ++++++++++++++++++- .github/workflows/plan.lock.yml | 66 ++++++++++++++++++- .github/workflows/poem-bot.lock.yml | 66 ++++++++++++++++++- .../prompt-clustering-analysis.lock.yml | 34 +++++++++- .github/workflows/python-data-charts.lock.yml | 34 +++++++++- .github/workflows/q.lock.yml | 66 ++++++++++++++++++- .github/workflows/repo-tree-map.lock.yml | 34 +++++++++- .github/workflows/research.lock.yml | 34 +++++++++- .github/workflows/safe-output-health.lock.yml | 34 +++++++++- .../schema-consistency-checker.lock.yml | 34 +++++++++- .github/workflows/scout.lock.yml | 66 ++++++++++++++++++- .github/workflows/security-fix-pr.lock.yml | 34 +++++++++- .../semantic-function-refactor.lock.yml | 34 +++++++++- .github/workflows/smoke-claude.lock.yml | 34 +++++++++- .github/workflows/smoke-codex.lock.yml | 34 +++++++++- .../workflows/smoke-copilot.firewall.lock.yml | 34 +++++++++- .github/workflows/smoke-copilot.lock.yml | 34 +++++++++- .github/workflows/smoke-detector.lock.yml | 34 +++++++++- .github/workflows/smoke-opencode.lock.yml | 34 +++++++++- .../workflows/static-analysis-report.lock.yml | 34 +++++++++- .../workflows/technical-doc-writer.lock.yml | 34 +++++++++- .../test-ollama-threat-detection.lock.yml | 34 +++++++++- .github/workflows/tidy.lock.yml | 34 +++++++++- .github/workflows/unbloat-docs.lock.yml | 34 +++++++++- .github/workflows/video-analyzer.lock.yml | 34 +++++++++- .../workflows/weekly-issue-summary.lock.yml | 34 +++++++++- pkg/workflow/compiler_yaml.go | 5 ++ .../js/collect_ndjson_output.test.cjs | 10 +++ pkg/workflow/js/sanitize.cjs | 54 ++++++++++++++- pkg/workflow/js/sanitize_output.test.cjs | 51 ++++++++++++++ 62 files changed, 2312 insertions(+), 68 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 6982e1a39c..27be4febb4 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -1587,22 +1587,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 8254714b48..3c24b01f65 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -2627,22 +2627,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index f8a335b02d..ac546afa07 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1977,22 +1977,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,githubnext.com,www.githubnext.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 1d19c597b2..ce7cd0c10e 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -155,18 +155,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2514,23 +2544,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: brave with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 561c63f02d..b87737eb00 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -155,18 +155,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2193,22 +2223,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 23f4d1d93d..9daa4df451 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -2046,22 +2046,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index d8347bb2a9..8c8952f503 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1709,22 +1709,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,ghcr.io,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index bd04c50224..7f21fbe431 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -1908,22 +1908,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 6597d45dda..36e3e57cb4 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -2260,22 +2260,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index a3fb8645f1..30f40e69b9 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1929,22 +1929,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 3c098f7a96..ad3f839482 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -3168,22 +3168,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com,pypi.python.org,pypi.org,pip.pypa.io,*.pythonhosted.org,files.pythonhosted.org,bootstrap.pypa.io,conda.binstar.org,conda.anaconda.org,binstar.org,anaconda.org,repo.continuum.io,repo.anaconda.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 9423580cab..ef4cd5b286 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -155,18 +155,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2666,23 +2696,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: craft with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 97c7b7b382..d7dce967cc 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1843,22 +1843,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 5545beea1f..9b05752f39 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -2340,22 +2340,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 2a76268b0a..d646da739a 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -2302,22 +2302,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index 0f1983b8fe..ef3a4e2584 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -2094,22 +2094,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 6e055f7092..c3829b7f5b 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -2193,22 +2193,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index 663e6a3a3c..61f3766fa5 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -2068,22 +2068,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index d49988f960..0d59b36b3d 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1940,22 +1940,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 3bfc6833a8..aebc857622 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1487,22 +1487,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index b760f2c83d..942155f0d6 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -1577,22 +1577,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index d37a14c1d3..916672a03d 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1663,22 +1663,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 7edd149476..aa6aeb455f 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1691,22 +1691,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index bd8dad8851..ae0ec768b9 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -2207,22 +2207,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 55d5347e6f..8643014acd 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1962,22 +1962,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 13b67fa6c1..e29a532d9a 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1739,22 +1739,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 7d9d5e9e9c..68f57ff580 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1841,22 +1841,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index a0785e1b84..a30047e28c 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -147,18 +147,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2204,22 +2234,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 96b9149b8e..2e56756667 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -2045,22 +2045,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 7d7fc48688..97b683bdfc 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -2159,22 +2159,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 015306c201..81d4c62fcf 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -2143,23 +2143,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: mergefest with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index be04fd0379..dba6445478 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -1446,22 +1446,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 8fbb628486..1f079099f3 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -177,18 +177,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2619,23 +2649,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: summarize with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 64b04979a6..fa739811cd 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -156,18 +156,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2115,23 +2145,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: plan with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index cd27361566..01159b58a7 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -190,18 +190,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2850,23 +2880,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: poem-bot with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index b686bc09c7..0e43f0711a 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -2380,22 +2380,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com,pypi.python.org,pypi.org,pip.pypa.io,*.pythonhosted.org,files.pythonhosted.org,bootstrap.pypa.io,conda.binstar.org,conda.anaconda.org,binstar.org,anaconda.org,repo.continuum.io,repo.anaconda.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 8235f1c54b..3e8c3877b8 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1903,22 +1903,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 52d9994b4c..daa7f84803 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -199,18 +199,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -2969,23 +2999,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: q with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index f626bd4f7e..431362458d 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -1611,22 +1611,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index b058a113c4..d8cf7fee71 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -1552,22 +1552,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index cc96ea6a07..c0d192edae 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -2177,22 +2177,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index a37d7aa2e4..eb301b1cdb 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -2047,22 +2047,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index c2c62ba380..2f4b5da2f5 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -202,18 +202,48 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); @@ -3001,23 +3031,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: scout with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index d676ca3998..198175904a 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -1789,22 +1789,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 1743b9eb76..83b737e01c 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -2139,22 +2139,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 663850a788..4915ff91dc 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1590,22 +1590,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index fb19bbeebe..cda6c35d6c 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1404,22 +1404,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 15cfe62f19..29676fd7c5 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -1475,22 +1475,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 75f239866f..2319607a34 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1475,22 +1475,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 1852c123da..c1f74d70c8 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -2730,22 +2730,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 4fc6423d7d..fd735837b1 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1437,22 +1437,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index a232ee8920..08fc6818d8 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -2066,22 +2066,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index cf1e154f89..d390d28ae9 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -2344,22 +2344,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/test-ollama-threat-detection.lock.yml b/.github/workflows/test-ollama-threat-detection.lock.yml index 2e9920f7f4..56fbec64d0 100644 --- a/.github/workflows/test-ollama-threat-detection.lock.yml +++ b/.github/workflows/test-ollama-threat-detection.lock.yml @@ -1418,22 +1418,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 879f11cb0c..dba3733326 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1945,23 +1945,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: tidy with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 576d2422fd..8e5e779c46 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -2753,23 +2753,55 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,crl.geotrust.com,ocsp.geotrust.com,crl.thawte.com,ocsp.thawte.com,crl.verisign.com,ocsp.verisign.com,crl.globalsign.com,ocsp.globalsign.com,crls.ssl.com,ocsp.ssl.com,crl.identrust.com,ocsp.identrust.com,crl.sectigo.com,ocsp.sectigo.com,crl.usertrust.com,ocsp.usertrust.com,s.symcb.com,s.symcd.com,json-schema.org,json.schemastore.org,archive.ubuntu.com,security.ubuntu.com,ppa.launchpad.net,keyserver.ubuntu.com,azure.archive.ubuntu.com,api.snapcraft.io,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,*.githubusercontent.com,raw.githubusercontent.com,objects.githubusercontent.com,lfs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,codeload.github.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: unbloat with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index a538258fae..473bc03529 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -1709,22 +1709,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 15945b5451..9b59d61d14 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -2104,22 +2104,54 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} with: script: | async function main() { const fs = require("fs"); + function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + try { + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + const domains = [hostname]; + if (hostname === "github.com") { + domains.push("api.github.com"); + } + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + return domains; + } catch (e) { + return []; + } + } function sanitizeContent(content, maxLength) { if (!content || typeof content !== "string") { return ""; } const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + allowedDomains = [...new Set(allowedDomains)]; let sanitized = content; sanitized = neutralizeCommands(sanitized); sanitized = neutralizeMentions(sanitized); diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index 04deae1249..e015f422e8 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -896,6 +896,11 @@ func (c *Compiler) generateOutputCollectionStep(yaml *strings.Builder, data *Wor fmt.Fprintf(yaml, " GH_AW_ALLOWED_DOMAINS: %q\n", domainsStr) } + // Add GitHub server URL and API URL for dynamic domain extraction + // This allows the sanitization code to permit GitHub domains that vary by deployment + yaml.WriteString(" GITHUB_SERVER_URL: ${{ github.server_url }}\n") + yaml.WriteString(" GITHUB_API_URL: ${{ github.api_url }}\n") + // Add command name for command trigger prevention in safe outputs if data.Command != "" { fmt.Fprintf(yaml, " GH_AW_COMMAND: %s\n", data.Command) diff --git a/pkg/workflow/js/collect_ndjson_output.test.cjs b/pkg/workflow/js/collect_ndjson_output.test.cjs index 1d04bdd9e8..ecc2fd140a 100644 --- a/pkg/workflow/js/collect_ndjson_output.test.cjs +++ b/pkg/workflow/js/collect_ndjson_output.test.cjs @@ -1930,6 +1930,12 @@ Line 3"} }); it("should handle custom allowed domains from environment", async () => { + // Clear GitHub environment variables to test custom domains behavior + const originalServerUrl = process.env.GITHUB_SERVER_URL; + const originalApiUrl = process.env.GITHUB_API_URL; + delete process.env.GITHUB_SERVER_URL; + delete process.env.GITHUB_API_URL; + // Set custom allowed domains process.env.GH_AW_ALLOWED_DOMAINS = "example.com,test.org"; @@ -1954,6 +1960,10 @@ Line 3"} // Clean up delete process.env.GH_AW_ALLOWED_DOMAINS; + + // Restore GitHub environment variables + if (originalServerUrl) process.env.GITHUB_SERVER_URL = originalServerUrl; + if (originalApiUrl) process.env.GITHUB_API_URL = originalApiUrl; }); it("should handle edge cases with colons in different contexts", async () => { diff --git a/pkg/workflow/js/sanitize.cjs b/pkg/workflow/js/sanitize.cjs index c577cc3d8b..a1b6985060 100644 --- a/pkg/workflow/js/sanitize.cjs +++ b/pkg/workflow/js/sanitize.cjs @@ -5,6 +5,40 @@ * and unintended side effects in GitHub Actions workflows. */ +/** + * Extract domains from a URL and return an array of domain variations + * @param {string} url - The URL to extract domains from + * @returns {string[]} Array of domain variations + */ +function extractDomainsFromUrl(url) { + if (!url || typeof url !== "string") { + return []; + } + + try { + // Parse the URL + const urlObj = new URL(url); + const hostname = urlObj.hostname.toLowerCase(); + + // Return both the exact hostname and common variations + const domains = [hostname]; + + // For github.com, add api.github.com variation + if (hostname === "github.com") { + domains.push("api.github.com"); + } + // For custom GitHub Enterprise domains, add api. prefix + else if (!hostname.startsWith("api.")) { + domains.push("api." + hostname); + } + + return domains; + } catch (e) { + // Invalid URL, return empty array + return []; + } +} + /** * Sanitizes content for safe output in GitHub Actions * @param {string} content - The content to sanitize @@ -20,13 +54,31 @@ function sanitizeContent(content, maxLength) { const allowedDomainsEnv = process.env.GH_AW_ALLOWED_DOMAINS; const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"]; - const allowedDomains = allowedDomainsEnv + let allowedDomains = allowedDomainsEnv ? allowedDomainsEnv .split(",") .map(d => d.trim()) .filter(d => d) : defaultAllowedDomains; + // Extract and add GitHub domains from GitHub context URLs + // This handles GitHub Enterprise deployments with custom domains + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const githubApiUrl = process.env.GITHUB_API_URL; + + if (githubServerUrl) { + const serverDomains = extractDomainsFromUrl(githubServerUrl); + allowedDomains = allowedDomains.concat(serverDomains); + } + + if (githubApiUrl) { + const apiDomains = extractDomainsFromUrl(githubApiUrl); + allowedDomains = allowedDomains.concat(apiDomains); + } + + // Remove duplicates + allowedDomains = [...new Set(allowedDomains)]; + let sanitized = content; // Neutralize commands at the start of text (e.g., /bot-name) diff --git a/pkg/workflow/js/sanitize_output.test.cjs b/pkg/workflow/js/sanitize_output.test.cjs index 2781214ae0..29582a3746 100644 --- a/pkg/workflow/js/sanitize_output.test.cjs +++ b/pkg/workflow/js/sanitize_output.test.cjs @@ -193,6 +193,12 @@ describe("sanitize_output.cjs", () => { }); it("should respect custom allowed domains from environment", () => { + // Clear GitHub environment variables to test custom domains behavior + const originalServerUrl = process.env.GITHUB_SERVER_URL; + const originalApiUrl = process.env.GITHUB_API_URL; + delete process.env.GITHUB_SERVER_URL; + delete process.env.GITHUB_API_URL; + process.env.GH_AW_ALLOWED_DOMAINS = "example.com,trusted.org"; // Re-run the script setup to pick up env variable @@ -206,6 +212,41 @@ describe("sanitize_output.cjs", () => { expect(result).toContain("https://trusted.org/file"); expect(result).toContain("(redacted)"); // github.com now blocked expect(result).not.toContain("https://github.com/repo"); + + // Restore GitHub environment variables + if (originalServerUrl) process.env.GITHUB_SERVER_URL = originalServerUrl; + if (originalApiUrl) process.env.GITHUB_API_URL = originalApiUrl; + }); + + it("should allow GitHub domains from environment variables", () => { + // Set GitHub environment variables to test dynamic domain extraction + process.env.GITHUB_SERVER_URL = "https://github.example.com"; + process.env.GITHUB_API_URL = "https://api.github.example.com"; + process.env.GH_AW_ALLOWED_DOMAINS = "custom.com"; + + // Re-run the script setup to pick up env variables + const scriptWithExport = sanitizeScript.replace("await main();", "global.testSanitizeContent = sanitizeContent;"); + eval(scriptWithExport); + const customSanitize = global.testSanitizeContent; + + const input = "Links: https://custom.com/page https://github.example.com/repo https://api.github.example.com/v1 https://blocked.com/page"; + const result = customSanitize(input); + + // Should allow custom domain + expect(result).toContain("https://custom.com/page"); + + // Should allow GitHub domains from environment + expect(result).toContain("https://github.example.com/repo"); + expect(result).toContain("https://api.github.example.com/v1"); + + // Should block unknown domain + expect(result).toContain("(redacted)"); + expect(result).not.toContain("https://blocked.com/page"); + + // Clean up + delete process.env.GITHUB_SERVER_URL; + delete process.env.GITHUB_API_URL; + delete process.env.GH_AW_ALLOWED_DOMAINS; }); it("should handle subdomain matching correctly", () => { @@ -284,6 +325,12 @@ Special chars: \x00\x1F & "quotes" 'apostrophes' }); it("should handle empty environment variable gracefully", () => { + // Clear GitHub environment variables to test empty domains behavior + const originalServerUrl = process.env.GITHUB_SERVER_URL; + const originalApiUrl = process.env.GITHUB_API_URL; + delete process.env.GITHUB_SERVER_URL; + delete process.env.GITHUB_API_URL; + process.env.GH_AW_ALLOWED_DOMAINS = " , , "; const scriptWithExport = sanitizeScript.replace("await main();", "global.testSanitizeContent = sanitizeContent;"); @@ -295,6 +342,10 @@ Special chars: \x00\x1F & "quotes" 'apostrophes' // With empty allowedDomains array, all HTTPS URLs get blocked expect(result).toContain("(redacted)"); expect(result).not.toContain("https://github.com/repo"); + + // Restore GitHub environment variables + if (originalServerUrl) process.env.GITHUB_SERVER_URL = originalServerUrl; + if (originalApiUrl) process.env.GITHUB_API_URL = originalApiUrl; }); it("should handle @mentions with various formats", () => { From dd31b7e64d5f13abc0512f6ffbd21856641d986c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 4 Nov 2025 15:38:38 +0000 Subject: [PATCH 3/4] Run prettier to format JavaScript code Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../js/collect_ndjson_output.test.cjs | 4 ++-- pkg/workflow/js/sanitize.cjs | 14 +++++++------- pkg/workflow/js/sanitize_output.test.cjs | 19 ++++++++++--------- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/pkg/workflow/js/collect_ndjson_output.test.cjs b/pkg/workflow/js/collect_ndjson_output.test.cjs index ecc2fd140a..28d64dac77 100644 --- a/pkg/workflow/js/collect_ndjson_output.test.cjs +++ b/pkg/workflow/js/collect_ndjson_output.test.cjs @@ -1935,7 +1935,7 @@ Line 3"} const originalApiUrl = process.env.GITHUB_API_URL; delete process.env.GITHUB_SERVER_URL; delete process.env.GITHUB_API_URL; - + // Set custom allowed domains process.env.GH_AW_ALLOWED_DOMAINS = "example.com,test.org"; @@ -1960,7 +1960,7 @@ Line 3"} // Clean up delete process.env.GH_AW_ALLOWED_DOMAINS; - + // Restore GitHub environment variables if (originalServerUrl) process.env.GITHUB_SERVER_URL = originalServerUrl; if (originalApiUrl) process.env.GITHUB_API_URL = originalApiUrl; diff --git a/pkg/workflow/js/sanitize.cjs b/pkg/workflow/js/sanitize.cjs index a1b6985060..88cc65d601 100644 --- a/pkg/workflow/js/sanitize.cjs +++ b/pkg/workflow/js/sanitize.cjs @@ -14,15 +14,15 @@ function extractDomainsFromUrl(url) { if (!url || typeof url !== "string") { return []; } - + try { // Parse the URL const urlObj = new URL(url); const hostname = urlObj.hostname.toLowerCase(); - + // Return both the exact hostname and common variations const domains = [hostname]; - + // For github.com, add api.github.com variation if (hostname === "github.com") { domains.push("api.github.com"); @@ -31,7 +31,7 @@ function extractDomainsFromUrl(url) { else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); } - + return domains; } catch (e) { // Invalid URL, return empty array @@ -65,17 +65,17 @@ function sanitizeContent(content, maxLength) { // This handles GitHub Enterprise deployments with custom domains const githubServerUrl = process.env.GITHUB_SERVER_URL; const githubApiUrl = process.env.GITHUB_API_URL; - + if (githubServerUrl) { const serverDomains = extractDomainsFromUrl(githubServerUrl); allowedDomains = allowedDomains.concat(serverDomains); } - + if (githubApiUrl) { const apiDomains = extractDomainsFromUrl(githubApiUrl); allowedDomains = allowedDomains.concat(apiDomains); } - + // Remove duplicates allowedDomains = [...new Set(allowedDomains)]; diff --git a/pkg/workflow/js/sanitize_output.test.cjs b/pkg/workflow/js/sanitize_output.test.cjs index 29582a3746..60b8c8bd12 100644 --- a/pkg/workflow/js/sanitize_output.test.cjs +++ b/pkg/workflow/js/sanitize_output.test.cjs @@ -198,7 +198,7 @@ describe("sanitize_output.cjs", () => { const originalApiUrl = process.env.GITHUB_API_URL; delete process.env.GITHUB_SERVER_URL; delete process.env.GITHUB_API_URL; - + process.env.GH_AW_ALLOWED_DOMAINS = "example.com,trusted.org"; // Re-run the script setup to pick up env variable @@ -212,7 +212,7 @@ describe("sanitize_output.cjs", () => { expect(result).toContain("https://trusted.org/file"); expect(result).toContain("(redacted)"); // github.com now blocked expect(result).not.toContain("https://github.com/repo"); - + // Restore GitHub environment variables if (originalServerUrl) process.env.GITHUB_SERVER_URL = originalServerUrl; if (originalApiUrl) process.env.GITHUB_API_URL = originalApiUrl; @@ -229,20 +229,21 @@ describe("sanitize_output.cjs", () => { eval(scriptWithExport); const customSanitize = global.testSanitizeContent; - const input = "Links: https://custom.com/page https://github.example.com/repo https://api.github.example.com/v1 https://blocked.com/page"; + const input = + "Links: https://custom.com/page https://github.example.com/repo https://api.github.example.com/v1 https://blocked.com/page"; const result = customSanitize(input); - + // Should allow custom domain expect(result).toContain("https://custom.com/page"); - + // Should allow GitHub domains from environment expect(result).toContain("https://github.example.com/repo"); expect(result).toContain("https://api.github.example.com/v1"); - + // Should block unknown domain expect(result).toContain("(redacted)"); expect(result).not.toContain("https://blocked.com/page"); - + // Clean up delete process.env.GITHUB_SERVER_URL; delete process.env.GITHUB_API_URL; @@ -330,7 +331,7 @@ Special chars: \x00\x1F & "quotes" 'apostrophes' const originalApiUrl = process.env.GITHUB_API_URL; delete process.env.GITHUB_SERVER_URL; delete process.env.GITHUB_API_URL; - + process.env.GH_AW_ALLOWED_DOMAINS = " , , "; const scriptWithExport = sanitizeScript.replace("await main();", "global.testSanitizeContent = sanitizeContent;"); @@ -342,7 +343,7 @@ Special chars: \x00\x1F & "quotes" 'apostrophes' // With empty allowedDomains array, all HTTPS URLs get blocked expect(result).toContain("(redacted)"); expect(result).not.toContain("https://github.com/repo"); - + // Restore GitHub environment variables if (originalServerUrl) process.env.GITHUB_SERVER_URL = originalServerUrl; if (originalApiUrl) process.env.GITHUB_API_URL = originalApiUrl; From 0d86a5b8b7e34976ea3929c46d47c55c45037e54 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 4 Nov 2025 15:52:38 +0000 Subject: [PATCH 4/4] Add support for raw content domains in GitHub URL extraction - Update extractDomainsFromUrl to include raw.githubusercontent.com for github.com - Add raw.hostname variation for GitHub Enterprise domains - Add wildcard *.githubusercontent.com support - Add test for raw.githubusercontent.com support - Update existing test to verify raw content domains are allowed Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 3 ++ .github/workflows/audit-workflows.lock.yml | 3 ++ .github/workflows/blog-auditor.lock.yml | 3 ++ .github/workflows/brave.lock.yml | 6 ++++ .github/workflows/changeset.lock.yml | 6 ++++ .github/workflows/ci-doctor.lock.yml | 3 ++ .../workflows/cli-version-checker.lock.yml | 3 ++ .../commit-changes-analyzer.lock.yml | 3 ++ .../workflows/copilot-agent-analysis.lock.yml | 3 ++ .../copilot-pr-prompt-analysis.lock.yml | 3 ++ .../copilot-session-insights.lock.yml | 3 ++ .github/workflows/craft.lock.yml | 6 ++++ .github/workflows/daily-doc-updater.lock.yml | 3 ++ .../workflows/daily-firewall-report.lock.yml | 3 ++ .github/workflows/daily-news.lock.yml | 3 ++ .../workflows/daily-perf-improver.lock.yml | 3 ++ .../workflows/daily-repo-chronicle.lock.yml | 3 ++ .../workflows/daily-test-improver.lock.yml | 3 ++ .github/workflows/dev-hawk.lock.yml | 3 ++ .github/workflows/dev.lock.yml | 3 ++ .github/workflows/dictation-prompt.lock.yml | 3 ++ .../duplicate-code-detector.lock.yml | 3 ++ .../example-workflow-analyzer.lock.yml | 3 ++ .../github-mcp-tools-report.lock.yml | 3 ++ .github/workflows/go-logger.lock.yml | 3 ++ .../workflows/go-pattern-detector.lock.yml | 3 ++ .../workflows/instructions-janitor.lock.yml | 3 ++ .github/workflows/issue-classifier.lock.yml | 6 ++++ .github/workflows/lockfile-stats.lock.yml | 3 ++ .github/workflows/mcp-inspector.lock.yml | 3 ++ .github/workflows/mergefest.lock.yml | 3 ++ .../workflows/notion-issue-summary.lock.yml | 3 ++ .github/workflows/pdf-summary.lock.yml | 6 ++++ .github/workflows/plan.lock.yml | 6 ++++ .github/workflows/poem-bot.lock.yml | 6 ++++ .../prompt-clustering-analysis.lock.yml | 3 ++ .github/workflows/python-data-charts.lock.yml | 3 ++ .github/workflows/q.lock.yml | 6 ++++ .github/workflows/repo-tree-map.lock.yml | 3 ++ .github/workflows/research.lock.yml | 3 ++ .github/workflows/safe-output-health.lock.yml | 3 ++ .../schema-consistency-checker.lock.yml | 3 ++ .github/workflows/scout.lock.yml | 6 ++++ .github/workflows/security-fix-pr.lock.yml | 3 ++ .../semantic-function-refactor.lock.yml | 3 ++ .github/workflows/smoke-claude.lock.yml | 3 ++ .github/workflows/smoke-codex.lock.yml | 3 ++ .../workflows/smoke-copilot.firewall.lock.yml | 3 ++ .github/workflows/smoke-copilot.lock.yml | 3 ++ .github/workflows/smoke-detector.lock.yml | 3 ++ .github/workflows/smoke-opencode.lock.yml | 3 ++ .../workflows/static-analysis-report.lock.yml | 3 ++ .../workflows/technical-doc-writer.lock.yml | 3 ++ .../test-ollama-threat-detection.lock.yml | 3 ++ .github/workflows/tidy.lock.yml | 3 ++ .github/workflows/unbloat-docs.lock.yml | 3 ++ .github/workflows/video-analyzer.lock.yml | 3 ++ .../workflows/weekly-issue-summary.lock.yml | 3 ++ pkg/workflow/js/sanitize.cjs | 8 +++-- pkg/workflow/js/sanitize_output.test.cjs | 30 ++++++++++++++++++- 60 files changed, 236 insertions(+), 3 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 27be4febb4..260d7f9fd3 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -1603,9 +1603,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 3c24b01f65..e41411569f 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -2643,9 +2643,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index ac546afa07..261ac9b5cd 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1993,9 +1993,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index ce7cd0c10e..589f6eb8a5 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -165,9 +165,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2561,9 +2564,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index b87737eb00..4851e44a13 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -165,9 +165,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2239,9 +2242,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 9daa4df451..3f066c990f 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -2062,9 +2062,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 8c8952f503..c818dda4ee 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1725,9 +1725,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 7f21fbe431..c658d4a865 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -1924,9 +1924,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 36e3e57cb4..5663b9e0ee 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -2276,9 +2276,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 30f40e69b9..d4f471d7fa 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1945,9 +1945,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index ad3f839482..8a116511d8 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -3184,9 +3184,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index ef4cd5b286..12e5d65e1d 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -165,9 +165,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2713,9 +2716,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index d7dce967cc..85a4b89dfd 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1859,9 +1859,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 9b05752f39..46766a84a0 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -2356,9 +2356,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index d646da739a..06faeb36a0 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -2318,9 +2318,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index ef3a4e2584..a020ed3415 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -2110,9 +2110,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index c3829b7f5b..0d100c89d7 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -2209,9 +2209,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index 61f3766fa5..8d38693026 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -2084,9 +2084,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 0d59b36b3d..1a7712e079 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1956,9 +1956,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index aebc857622..c2efd48b45 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1503,9 +1503,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 942155f0d6..e4c44297c5 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -1593,9 +1593,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 916672a03d..43a89bd21c 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1679,9 +1679,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index aa6aeb455f..7288eabd6b 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1707,9 +1707,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index ae0ec768b9..e4d80a88e4 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -2223,9 +2223,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 8643014acd..026556521c 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1978,9 +1978,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index e29a532d9a..4f535615ac 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1755,9 +1755,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 68f57ff580..2ba0dc6bad 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1857,9 +1857,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index a30047e28c..3b3c0c8f73 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -157,9 +157,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2250,9 +2253,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 2e56756667..5d288c9bed 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -2061,9 +2061,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 97b683bdfc..9aa1a66a72 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -2175,9 +2175,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 81d4c62fcf..2de6991047 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -2160,9 +2160,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index dba6445478..8f2c241fa7 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -1462,9 +1462,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 1f079099f3..d3406cdecb 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -187,9 +187,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2666,9 +2669,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index fa739811cd..4903bb957a 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -166,9 +166,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2162,9 +2165,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 01159b58a7..8f56b3090a 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -200,9 +200,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -2897,9 +2900,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 0e43f0711a..f7af3b8c63 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -2396,9 +2396,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 3e8c3877b8..cc85b9b551 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1919,9 +1919,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index daa7f84803..ddd06fec4e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -209,9 +209,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -3016,9 +3019,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 431362458d..c00cf19b80 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -1627,9 +1627,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index d8cf7fee71..0b35bfe040 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -1568,9 +1568,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index c0d192edae..3232d70bf7 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -2193,9 +2193,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index eb301b1cdb..a7f5063184 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -2063,9 +2063,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 2f4b5da2f5..b807cf68ba 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -212,9 +212,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { @@ -3048,9 +3051,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 198175904a..3252d5daf0 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -1805,9 +1805,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 83b737e01c..117e67e6d8 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -2155,9 +2155,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 4915ff91dc..7eb0a0ef97 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1606,9 +1606,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index cda6c35d6c..a3e19d3fad 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1420,9 +1420,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 29676fd7c5..9d94eaadfc 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -1491,9 +1491,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 2319607a34..650b741aec 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1491,9 +1491,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index c1f74d70c8..ed302af855 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -2746,9 +2746,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index fd735837b1..9e32bf79ac 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1453,9 +1453,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 08fc6818d8..4b498d9c20 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -2082,9 +2082,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index d390d28ae9..407ad1677c 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -2360,9 +2360,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/test-ollama-threat-detection.lock.yml b/.github/workflows/test-ollama-threat-detection.lock.yml index 56fbec64d0..fc6df2bedb 100644 --- a/.github/workflows/test-ollama-threat-detection.lock.yml +++ b/.github/workflows/test-ollama-threat-detection.lock.yml @@ -1434,9 +1434,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index dba3733326..513d3c7446 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1962,9 +1962,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 8e5e779c46..a56db9c173 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -2770,9 +2770,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 473bc03529..bf7892cfd5 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -1725,9 +1725,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 9b59d61d14..93307f54f2 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -2120,9 +2120,12 @@ jobs: const domains = [hostname]; if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + domains.push("raw." + hostname); } return domains; } catch (e) { diff --git a/pkg/workflow/js/sanitize.cjs b/pkg/workflow/js/sanitize.cjs index 88cc65d601..b4a87ed466 100644 --- a/pkg/workflow/js/sanitize.cjs +++ b/pkg/workflow/js/sanitize.cjs @@ -23,13 +23,17 @@ function extractDomainsFromUrl(url) { // Return both the exact hostname and common variations const domains = [hostname]; - // For github.com, add api.github.com variation + // For github.com, add api and raw content domain variations if (hostname === "github.com") { domains.push("api.github.com"); + domains.push("raw.githubusercontent.com"); + domains.push("*.githubusercontent.com"); } - // For custom GitHub Enterprise domains, add api. prefix + // For custom GitHub Enterprise domains, add api. prefix and raw content variations else if (!hostname.startsWith("api.")) { domains.push("api." + hostname); + // For GitHub Enterprise, raw content is typically served from raw.hostname + domains.push("raw." + hostname); } return domains; diff --git a/pkg/workflow/js/sanitize_output.test.cjs b/pkg/workflow/js/sanitize_output.test.cjs index 60b8c8bd12..8b1e71e126 100644 --- a/pkg/workflow/js/sanitize_output.test.cjs +++ b/pkg/workflow/js/sanitize_output.test.cjs @@ -230,7 +230,7 @@ describe("sanitize_output.cjs", () => { const customSanitize = global.testSanitizeContent; const input = - "Links: https://custom.com/page https://github.example.com/repo https://api.github.example.com/v1 https://blocked.com/page"; + "Links: https://custom.com/page https://github.example.com/repo https://api.github.example.com/v1 https://raw.github.example.com/file https://blocked.com/page"; const result = customSanitize(input); // Should allow custom domain @@ -240,6 +240,9 @@ describe("sanitize_output.cjs", () => { expect(result).toContain("https://github.example.com/repo"); expect(result).toContain("https://api.github.example.com/v1"); + // Should allow raw content domain + expect(result).toContain("https://raw.github.example.com/file"); + // Should block unknown domain expect(result).toContain("(redacted)"); expect(result).not.toContain("https://blocked.com/page"); @@ -250,6 +253,31 @@ describe("sanitize_output.cjs", () => { delete process.env.GH_AW_ALLOWED_DOMAINS; }); + it("should allow raw.githubusercontent.com for github.com", () => { + // Test that GitHub.com also gets raw.githubusercontent.com support + process.env.GITHUB_SERVER_URL = "https://github.com"; + process.env.GITHUB_API_URL = "https://api.github.com"; + process.env.GH_AW_ALLOWED_DOMAINS = ""; + + const scriptWithExport = sanitizeScript.replace("await main();", "global.testSanitizeContent = sanitizeContent;"); + eval(scriptWithExport); + const customSanitize = global.testSanitizeContent; + + const input = + "Raw content: https://raw.githubusercontent.com/owner/repo/main/file.txt and API: https://api.github.com/repos/owner/repo"; + const result = customSanitize(input); + + // Should allow raw.githubusercontent.com + expect(result).toContain("https://raw.githubusercontent.com/owner/repo/main/file.txt"); + expect(result).toContain("https://api.github.com/repos/owner/repo"); + expect(result).not.toContain("(redacted)"); + + // Clean up + delete process.env.GITHUB_SERVER_URL; + delete process.env.GITHUB_API_URL; + delete process.env.GH_AW_ALLOWED_DOMAINS; + }); + it("should handle subdomain matching correctly", () => { const input = "Subdomains: https://api.github.com/v1 https://docs.github.com/guide"; const result = sanitizeContentFunction(input);