john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: update validation script to allow legitimate public info

Browse source 
Security Validation Improvements:
- Added pm.me to allowed email domains (public contact email)
- Added code block detection to skip infrastructure patterns in examples
- Port numbers in markdown code blocks no longer flagged
- Fixes false positives blocking README.md sync

Workflow Improvements:
- Added issues:write permission to notify-failure job
- Fixes 403 error when creating failure notification issues

This allows the public README with code examples and contact info
to pass validation while still blocking actual security issues.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
TheFlow 2025-10-09 15:23:40 +13:00
parent adad396862
commit a08048388e
2 changed files with 50 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/sync-public-docs.yml vendored
View file

@ -153,6 +153,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: validate-and-sync needs: validate-and-sync
if: failure() if: failure()
permissions:
issues: write
steps: steps:
- name: Create Issue on Failure - name: Create Issue on Failure
uses: actions/github-script@v7 uses: actions/github-script@v7

50
scripts/validate-public-sync.js
View file

@ -97,7 +97,7 @@ const SECURITY_PATTERNS = [
// Email addresses (except public ones) // Email addresses (except public ones)
{ {
pattern: /[a-zA-Z0-9._%+-]+@(?!example\.com|domain\.com|anthropic\.com|agenticgovernance\.org)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/gi, pattern: /[a-zA-Z0-9._%+-]+@(?!example\.com|domain\.com|anthropic\.com|agenticgovernance\.org|pm\.me)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/gi,
severity: 'MEDIUM', severity: 'MEDIUM',
description: 'Personal email address detected', description: 'Personal email address detected',
category: 'Personal Info' category: 'Personal Info'
@ -246,6 +246,43 @@ class PublicSyncValidator {
return files; return files;
} }
/**
* Strip markdown code blocks from content
*/
stripCodeBlocks(content) {
// Remove fenced code blocks (```...```)
let stripped = content.replace(/```[\s\S]*?```/g, '');
// Remove inline code (`...`)
stripped = stripped.replace(/`[^`]+`/g, '');
return stripped;
}
/**
* Check if a match is inside a code block
*/
isInCodeBlock(content, match) {
const matchIndex = content.indexOf(match);
if (matchIndex === -1) return false;
// Check if inside fenced code block
const beforeMatch = content.substring(0, matchIndex);
const fenceCount = (beforeMatch.match(/```/g) || []).length;
if (fenceCount % 2 === 1) return true; // Odd number of fences = inside block
// Check if inside inline code
const lineStart = beforeMatch.lastIndexOf('\n') + 1;
const lineEnd = content.indexOf('\n', matchIndex);
const line = content.substring(lineStart, lineEnd === -1 ? content.length : lineEnd);
const matchPos = matchIndex - lineStart;
let inInlineCode = false;
let backtickCount = 0;
for (let i = 0; i < matchPos; i++) {
if (line[i] === '`') backtickCount++;
}
return backtickCount % 2 === 1; // Odd number of backticks = inside inline code
}
/** /**
* Scan a single file for security issues * Scan a single file for security issues
*/ */
@ -269,7 +306,16 @@ class PublicSyncValidator {
} }
// Check if it's an allowed pattern // Check if it's an allowed pattern
return !ALLOWED_PATTERNS.some(allowed => allowed.test(match)); if (ALLOWED_PATTERNS.some(allowed => allowed.test(match))) {
return false;
}
// For infrastructure patterns (ports, etc), skip if in code blocks
if (category === 'Infrastructure' && this.isInCodeBlock(content, match)) {
return false;
}
return true;
}); });
if (validMatches.length > 0) { if (validMatches.length > 0) {