Jules 2778817292964120062 83725985#4044
Open
mexicodxnmexico-create wants to merge 15 commits intomicrosoft:mainfrom
Open
Jules 2778817292964120062 83725985#4044mexicodxnmexico-create wants to merge 15 commits intomicrosoft:mainfrom
mexicodxnmexico-create wants to merge 15 commits intomicrosoft:mainfrom
Conversation
Replaces complex regex with lookarounds in `splitTerms` with a faster scanning loop using simple regexes. Benchmarks show ~37% performance improvement. - Extracted regex patterns to module constants for readability. - Replaced `matchAll` with `exec` loop. - Added early exit checks for common cases. - Handled edge cases like camelCase, snake_case, and digit suffixes explicitly. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…ation-7114890394492771705 ⚡ Bolt: Optimize TF-IDF tokenization
This change integrates a new set of principles into the GitHub Copilot Chat agent prompts, transitioning toward a 'Builder AI' (IA constructora) architecture. Key improvements: - Added `BuilderAgentInstructions` component based on 10 core principles. - Enhanced instructions for contextual memory, purpose orientation, and real execution. - Strengthened critical thinking rules to proactively signal risks and suggest better alternatives. - Updated agent prompt snapshots to reflect new system instructions. Aligned with the vision of prioritizing impact and functional systems over conversational output. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…phy-9786023644928653144 Implement 'Builder AI' philosophy in agent prompts
… Panel (#31) * Improve citation accessibility and security in Suggestions Panel - Add `rel="noopener noreferrer"` to citation links to prevent Reverse Tabnabbing. - Make warning label accessible by removing `aria-hidden="true"` and using `<strong>` for emphasis. - Add warning icon (⚠) to the warning label. - Add unit test for suggestions panel rendering logic. - Document UX learning in `.Jules/palette.md`. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> * Fix CI failure by updating package-lock.json The previous commit added `jsdom` and `@typescript-eslint/utils` using `pnpm`, but the CI workflow uses `npm ci` which relies on `package-lock.json`. This commit updates `package-lock.json` to be in sync with `package.json`, resolving the "EUSAGE" error in the CI pipeline. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…10) This change fixes a potential command injection vulnerability in `openVscodeUri` on Windows by removing the use of `shell: true` and manually quoted arguments. Instead, it relies on `child_process.spawn`'s default behavior (shell: false) to safely escape arguments for `cmd /c start`. The vulnerability allowed execution of arbitrary commands if `uri` contained double quotes (e.g., `" & calc.exe & "`). Verification: - Added `open.spec.ts` to verify that `spawn` is called with `shell: false` (or implicit default) and unquoted `uri`. - Verified that `spawn` behaves correctly with `shell: false`. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
🚨 Severity: HIGH 💡 Vulnerability: Cross-Site Scripting (XSS) in citation URL rendering. The `suggestionsPanelWebview.ts` interpolated the `citation.url` directly into the `href` attribute. While `DOMPurify.sanitize` was used, it does not prevent `javascript:` protocol attacks when sanitizing URL strings in isolation. A malicious URL like `javascript:alert(1)` could execute arbitrary JavaScript within the webview context. 🎯 Impact: An attacker could potentially inject malicious scripts if they can control the citation URL, leading to arbitrary code execution in the webview. 🔧 Fix: Implemented strict URL validation using `isValidUrl` helper function that enforces `http:` and `https:` protocols. Invalid URLs are replaced with `#` as a safe fallback. ✅ Verification: - Added a new test case in `suggestionsPanelWebview.spec.ts` that injects a malicious URL and asserts that the rendered `href` is sanitized to `#`. - Verified that existing tests pass. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
🚨 Severity: CRITICAL
💡 Vulnerability: Cross-Site Scripting (XSS) via Attribute Injection in citation URLs.
The `suggestionsPanelWebview.ts` interpolated citation URLs directly into HTML `href` attributes. While `DOMPurify` was used, it did not fully prevent Attribute Injection when handling raw URL strings containing malicious characters (like quotes). A malicious URL could break out of the `href` attribute and inject event handlers (e.g., `onclick`), leading to arbitrary code execution.
🎯 Impact: An attacker could execute arbitrary JavaScript within the webview context by controlling the citation URL.
🔧 Fix:
- Implemented strict URL validation and normalization using `new URL()`.
- Used the `parsed.href` property (which is properly encoded) instead of the raw input string, neutralizing attribute injection attacks.
- Updated CI configuration (`.github/workflows/webpack.yml`) to use Node.js 22.x, fixing build failures caused by incompatibility with `package.json` engines requirements.
✅ Verification:
- Added comprehensive test cases in `suggestionsPanelWebview.spec.ts` covering:
- Malicious `javascript:` protocol (blocked).
- Attribute injection attempts (neutralized).
- Valid URL rendering (normalized).
- Verified that CI build failure is resolved by updating Node version matrix.
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…ixes
🚨 Severity: CRITICAL
💡 Vulnerability: Cross-Site Scripting (XSS) via Attribute Injection in citation URLs.
The `suggestionsPanelWebview.ts` previously interpolated citation URLs directly into HTML `href` attributes. While `DOMPurify` was used, it did not fully prevent Attribute Injection when handling raw URL strings containing malicious characters (like quotes).
🎯 Impact: An attacker could execute arbitrary JavaScript within the webview context by controlling the citation URL.
🔧 Fix:
- Implemented strict URL validation and normalization using `new URL()`.
- Used the `parsed.href` property (properly encoded) instead of the raw string to neutralize attribute injection.
- Fixed CI Build:
- Updated `.github/workflows/webpack.yml` to use Node.js 22.x (required by `engines`).
- Replaced incorrect `npx webpack` command with `npm run build` (project uses `esbuild`).
✅ Verification:
- Added tests in `suggestionsPanelWebview.spec.ts` covering malicious protocols and attribute injection.
- Verified locally that the new URL handling produces safe outputs.
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
- Added `rel="noopener noreferrer"` to external links in suggestions panel webview. - Configured `DOMPurify` to allow `target` attribute to ensure links open in new tab/window as intended. - Created `.jules/sentinel.md` for security journal. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
- Wrap decorative warning icon `⚠` in `<span aria-hidden="true">` to prevent redundant screen reader announcements (e.g., "Warning sign Warning"). - Add `tabIndex="0"` to code blocks (`pre` elements) in the suggestions panel to ensure they are keyboard accessible and scrollable. - Update unit tests to reflect these changes. - Add journal entry in `.Jules/palette.md`. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.