Skip to content

fix(gittensor-impact-card): encodeURIComponent + XML-escape API values#4124

Merged
JSONbored merged 1 commit into
mainfrom
gittensor-impact-card-fixes
Jul 8, 2026
Merged

fix(gittensor-impact-card): encodeURIComponent + XML-escape API values#4124
JSONbored merged 1 commit into
mainfrom
gittensor-impact-card-fixes

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

#4121 auto-merged before two follow-up fixes landed on that branch (a merge-timing race — not a revert of anything). Both are already-fixed on the sibling metagraphed/awesome-claude PRs; this brings gittensory's copy in line:

  • repo.replace("/", "%2F") only replaces the first / — works today by luck (owner/repo has exactly one slash), but encodeURIComponent(repo) is the correct, general fix.
  • api.gittensor.io response values (impact.totalPRs, etc., formatted into s.value/s.label) and the repo name were interpolated into SVG <text> nodes without XML-escaping — a Superagent P2 finding on the sibling awesome-claude PR. Adds escapeXml() and applies it at every interpolation point carrying external/CLI data, so a future non-numeric API field can't break the generated SVG's XML structure.

Scope

  • The PR title follows type(scope): short summary Conventional Commit format.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • I linked a currently open issue this PR resolves — no linked issue; follow-up fix to the owner-initiated feat(ci): replace the impact-card action with our own brand-styled renderer #4121, not tracked as a GitHub issue.

Validation

  • node --check scripts/gittensor-impact-card.mjs
  • npm run actionlint
  • git diff --check
  • Ran the script directly against real data — output SVG unchanged/renders correctly (verified visually via a QuickLook render of the generated file).

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.

#4121 auto-merged before two follow-up fixes could land on that branch
(a merge-timing race, not a revert): repo.replace("/", "%2F") only
replaces the first slash (works today by luck; encodeURIComponent is the
correct general encoding), and api.gittensor.io response values were
interpolated into SVG <text> nodes without XML-escaping (Superagent
P2 finding on the sibling awesome-claude PR — a future non-numeric API
field could break the generated SVG's XML structure).
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.65%. Comparing base (1ec9f94) to head (ba90730).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4124   +/-   ##
=======================================
  Coverage   93.65%   93.65%           
=======================================
  Files         384      384           
  Lines       35865    35865           
  Branches    13160    13160           
=======================================
  Hits        33589    33589           
  Misses       1618     1618           
  Partials      658      658           
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. label Jul 8, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 8, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-08 03:15:10 UTC

1 file · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · clean

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
The AI review returned non-blocking notes for this change but did not include a separate narrative summary. Review the nits below before deciding this PR.

Nits — 6 non-blocking
  • The diff bundles unrelated Prettier reformatting (multi-line arg wrapping throughout render/sparkline/meter/main) together with the actual security fix, inflating +89/-19 for what's really a ~15-line change — consider isolating formatting-only churn in a separate commit/PR next time so reviewers can see the security-relevant diff cleanly.
  • `escapeXml()` (gittensor-impact-card.mjs:37-44) is new, security-relevant, pure logic with no unit test — worth a quick test asserting `&<>"'` all escape correctly, even though scripts/ isn't in the src/** coverage gate.
  • The 'magic numbers' flagged by tooling (1200, 7, 14, 48, 708, 567) are pre-existing values just reformatted by Prettier, not new literals introduced by this PR — no action needed there.
  • PR description checkbox for a linked issue is unchecked; given this is a direct fix for a Superagent-flagged XSS/SVG-injection finding on the sibling PR (not a new feature), I'd accept it without a formal issue link, but call this out explicitly rather than silently waiving it.
  • Add a small test file (e.g. scripts/gittensor-impact-card.test.mjs) covering escapeXml with `&`, `<`, `>`, `"`, `'` and a combined string like `AT&T <script>`, plus a case verifying encodeURIComponent handles a repo name with multiple slashes/special chars correctly.
  • Code changes lack test evidence — Add focused regression tests or explain why existing coverage is sufficient.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 51 registered-repo PR(s), 43 merged, 509 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 51 PR(s), 509 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, JavaScript, Ruby, Go, Kotlin, MDX, Shell
  • Official Gittensor activity: 51 PR(s), 509 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 8, 2026
@JSONbored JSONbored merged commit c90e387 into main Jul 8, 2026
10 checks passed
@JSONbored JSONbored deleted the gittensor-impact-card-fixes branch July 8, 2026 03:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant