Conversation
…werShell fix T007: src/lib/subprocess_utils.py — safe subprocess wrapper (list-form only, no shell=True, SAFE_ENV, UTF-8, timeout → structured result) T008: src/lib/logger.py — stdlib-only logging setup; CLI_PLUGINS_LOG_LEVEL env var; no external packages (constitution §Zero Dependencies) T067 (security): fix executor._build_command PowerShell injection vector. Old: ' '.join(command) passed raw to -Command → args with spaces split. New: & call operator with individually single-quoted args via _quote_ps_arg(). Single quotes escaped as '' (PowerShell convention). Tests: 24 new unit tests (TDD Red→Green); 127 total pass; ruff clean. Co-Authored-By: claude-flow <ruv@ruv.net>
- parse_errors: state.errors is int, len() was invalid → use directly - logger.info %d format: meta values are strings → cast to int() Both were pre-existing bugs surfaced by the jq E2E test run. 127/127 tests pass; ruff clean. Co-Authored-By: claude-flow <ruv@ruv.net>
Summary of ChangesHello @nsalvacao, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request delivers essential infrastructure improvements by integrating robust subprocess and logging utilities, crucial for the project's stability and adherence to the 'Zero Dependencies' principle. A significant security vulnerability related to PowerShell command injection has been patched, enhancing the application's resilience. Additionally, minor pipeline adjustments ensure correct data handling and logging, contributing to overall system reliability. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Pull request overview
This PR implements three Phase 2 tasks (T007, T008, T067) and includes pipeline bugfixes. It introduces safe subprocess utilities, stdlib-only logging infrastructure, and a critical security fix for PowerShell command injection. However, the PR accidentally introduces a critical bug in the ANSI escape sequence regex.
Changes:
- Added
subprocess_utils.pywith safe subprocess wrapper enforcing list-form commands, no shell=True, and SAFE_ENV - Added
logger.pywith stdlib-only logging configured via CLI_PLUGINS_LOG_LEVEL environment variable - Fixed PowerShell injection vulnerability in
executor._build_commandusing single-quoted arguments and the&call operator - Fixed pipeline.py bugs: corrected
state.errorsusage (int, not list) and meta dict access for logger formatting
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/lib/subprocess_utils.py | New safe subprocess wrapper with SAFE_ENV, timeout handling, and UTF-8 encoding |
| src/lib/logger.py | New stdlib-only logging module with environment-based configuration |
| src/crawler/executor.py | PowerShell security fix with _quote_ps_arg helper; critical bug introduced in ANSI_RE regex |
| src/crawler/pipeline.py | Bugfixes for meta dict access and state.errors int usage |
| tests/unit/test_subprocess_utils.py | 9 unit tests for subprocess utilities (some Unix-specific) |
| tests/unit/test_logger.py | 5 unit tests for logging configuration |
| tests/unit/test_executor_security.py | 10 security tests for PowerShell command injection prevention |
| specs/001-cli-plugins-base/tasks.md | Marked T006, T007, T008, T044, T067 as complete |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- ruff format test_executor_security.py (CI lint was failing on this) - test_subprocess_utils: replace ["sleep","10"] and ["env"] with cross-platform python3 equivalents (Copilot comments 3 & 4) - test_logger: consolidate dual import into single `import lib.logger as logger_module` (Copilot comment 5) - subprocess_utils: add cross-reference comment for SAFE_ENV duplication with executor.py (Copilot comment 2) All 127 tests pass. ruff check + ruff format --check clean. Co-Authored-By: claude-flow <ruv@ruv.net>
1 participant
Summary
src/lib/subprocess_utils.py— shared safe subprocess wrapper (list-form only, noshell=True,SAFE_ENV, UTF-8, structured result)src/lib/logger.py— stdlib-only logging setup viaCLI_PLUGINS_LOG_LEVELenv var; zero external packages (constitution §Zero Dependencies)executor._build_commandPowerShell injection — replaced raw' '.join(command)with&call operator + individually single-quoted args via_quote_ps_arg()(single quotes escaped as''per PowerShell convention)jqE2E test):len(state.errors)on int → direct use; meta string values cast to int for%dlogger formatTest plan
test_subprocess_utils.py,test_logger.py,test_executor_security.pyruff checkclean on all new/modified filescli-crawler jq | generate-plugin→ 24 flags extracted correctly, SKILL.md + references/ structure generated.venv-wslcreated for WSL environment (AGENTS.md dual-OS strategy)Phase 2 progress
subprocess_utils.pylogger.py🤖 Generated with claude-flow