security: escape user content in triage prompt delimiters#204
security: escape user content in triage prompt delimiters#204BillChirico merged 12 commits intomainfrom
Conversation
Add escapePromptDelimiters() to HTML-encode < and > in user-supplied message content before it is inserted between XML-style section tags in the LLM prompt. Without escaping, a crafted message containing the literal text `</messages-to-evaluate>` could break out of the user-content section and inject attacker-controlled instructions into the prompt structure. Changes: - Add escapePromptDelimiters(text) utility exported from triage-prompt.js - Apply escape to m.content and m.replyTo.content in buildConversationText() - Add 13 new tests covering the escape function and injection scenarios Closes #164
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughImplements prompt injection defense by adding Changes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Addresses a prompt-injection risk in triage prompt construction by escaping user-controlled content before inserting it into XML-style delimiter sections used by the classifier/responder prompts.
Changes:
- Added
escapePromptDelimiters()and applied it to message content and reply excerpts inbuildConversationText(). - Expanded the triage prompt test suite with new unit and scenario tests to validate delimiter escaping and prompt-structure preservation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/modules/triage-prompt.js |
Introduces delimiter escaping and applies it during conversation text formatting to harden prompt structure against user content injection. |
tests/modules/triage-prompt.test.js |
Adds tests for the escape helper and for prompt-injection scenarios in buildConversationText(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
| Filename | Overview |
|---|---|
| src/index.js | Critical: Redis import removed during merge but function calls remain, causing ReferenceError |
| src/modules/triage-prompt.js | Properly escapes user content (&, <, >) in prompt delimiters to prevent injection attacks |
| tests/modules/triage-prompt.test.js | Comprehensive test coverage for escape function and prompt injection scenarios |
Last reviewed commit: 110d353
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
- Add & → & escape first in escapePromptDelimiters() to prevent HTML entity bypass attacks (e.g. </messages-to-evaluate>) - Also escape m.author and m.replyTo.author since Discord display names are user-controlled and can contain < / > characters Addresses review feedback on PR #204.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/modules/triage-prompt.js`:
- Line 46: Guard the call to .slice by verifying m.replyTo and that
m.replyTo.content is a string before slicing and passing into
escapePromptDelimiters; update the ternary branch that builds the reply snippet
to use a safe value (e.g., an empty string or String(m.replyTo.content) only
after checking typeof === 'string') so escapePromptDelimiters always receives a
string and no exception is thrown. Reference the expression using
m.replyTo.content and escapePromptDelimiters in triage-prompt.js and adjust the
conditional to handle null/undefined/non-string content safely.
In `@tests/modules/triage-prompt.test.js`:
- Around line 379-416: Add a regression test in the existing
describe('escapePromptDelimiters') block that asserts ampersand (&) characters
are escaped to & (and that combined sequences like "&<" become "&<");
update tests/modules/triage-prompt.test.js's escapePromptDelimiters spec by
adding a new it('should escape ampersand characters', ...) case that calls
escapePromptDelimiters('& &< >') (or similar examples) and checks for '&'
(and combined escapes) to prevent regressions of the entity-bypass fix.
- Around line 418-487: Add a new test in the "buildConversationText - prompt
injection defense" suite that verifies author fields are escaped: create a
buffer entry whose m.author contains angle-bracket payload (e.g.
"</recent-history>…") and a replyTo with replyTo.author containing a similar
payload, call buildConversationText(context, buffer), and assert the raw tags do
NOT appear while the escaped forms (<...>) for both m.author and
m.replyTo.author DO appear; reference the existing test structure and symbols
(buildConversationText, m.author, m.replyTo.author) so the new case mirrors the
"should escape angle brackets in message content" and "should escape angle
brackets in reply content" tests.
ℹ️ Review info
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
src/modules/triage-prompt.jstests/modules/triage-prompt.test.js
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Agent
- GitHub Check: Greptile Review
🧰 Additional context used
📓 Path-based instructions (4)
**/*.js
📄 CodeRabbit inference engine (AGENTS.md)
**/*.js: Use ESM modules — useimport/export, neverrequire()
Always usenode:protocol for Node.js builtins (e.g.import { readFileSync } from 'node:fs')
Always use semicolons in JavaScript code
Use single quotes for strings (enforced by Biome)
Use 2-space indentation (enforced by Biome)
Files:
src/modules/triage-prompt.jstests/modules/triage-prompt.test.js
src/**/*.js
📄 CodeRabbit inference engine (AGENTS.md)
src/**/*.js: Always use Winston logger —import { info, warn, error } from '../logger.js'. NEVER useconsole.log,console.warn,console.error, or anyconsole.*method in src/ files — replace any existing console calls with Winston equivalents
Pass structured metadata to Winston logs:info('Message processed', { userId, channelId })
Files:
src/modules/triage-prompt.js
src/modules/*.js
📄 CodeRabbit inference engine (AGENTS.md)
Per-request modules (AI, spam, moderation) should call
getConfig(guildId)on every invocation for automatic config changes. Stateful resources should useonConfigChangelisteners for reactive updates
Files:
src/modules/triage-prompt.js
tests/**/*.js
📄 CodeRabbit inference engine (AGENTS.md)
All new code must include tests. Test coverage must maintain an 80% threshold on statements, branches, functions, and lines. Run
pnpm testbefore every commit
Files:
tests/modules/triage-prompt.test.js
🧬 Code graph analysis (2)
src/modules/triage-prompt.js (1)
src/modules/triage-parse.js (1)
text(27-27)
tests/modules/triage-prompt.test.js (1)
src/modules/triage-prompt.js (3)
escapePromptDelimiters(21-25)text(51-51)buildConversationText(41-61)
🔇 Additional comments (1)
src/modules/triage-prompt.js (1)
21-25: Escaping order is correct and closes entity-bypass vectors.Good change: escaping
&before<and>prevents encoded delimiter bypasses while preserving literal user text safely.
Fixes three performance bottlenecks identified in code review of recently merged features (PR #121 conversations viewer, PR #190 AI feedback). ## Changes ### migrations/004_performance_indexes.cjs (new) Four new indexes targeting hot query paths: - idx_ai_feedback_guild_created (guild_id, created_at DESC) getFeedbackTrend() and getRecentFeedback() filtered by guild_id AND created_at but only had a single-column guild_id index, forcing a full guild scan + sort on every trend/recent call. - idx_conversations_content_trgm (GIN, pg_trgm) content ILIKE '%...%' search was a sequential scan. GIN/trgm index reduces this from O(n) to O(log n * trigram matches). Requires pg_trgm extension (added idempotently). - idx_conversations_guild_created (guild_id, created_at DESC) Default 30-day listing query filters guild_id + created_at. The existing 3-column (guild_id, channel_id, created_at) composite is suboptimal when channel_id is not in the predicate. - idx_flagged_messages_guild_message (guild_id, message_id) Conversation detail + flag endpoints query flagged_messages by guild_id AND message_id = ANY(...). Existing index only covers (guild_id, status). ### src/api/routes/conversations.js **GET / — Replace in-memory pagination with SQL CTE grouping** Before: fetched up to 10,000 message rows into Node memory, grouped them in JavaScript (O(n) time + memory), then sliced for pagination. Every page request loaded the full 10k row dataset. After: single SQL query using window functions (LAG + SUM OVER) to identify conversation boundaries and aggregate summaries directly. COUNT(*) OVER() provides total count without a second query. Pagination happens at the DB with LIMIT/OFFSET on summary rows. Memory overhead is now proportional to page size (default 25), not total conversation volume. Removed now-unused buildConversationSummary() helper (logic inlined into the SQL-side aggregation). **POST /:conversationId/flag — Parallel verification queries** Before: msgCheck and anchorCheck ran sequentially (~2× RTT). After: both run in parallel via Promise.all (1× RTT for verification). ### tests/api/routes/conversations.test.js Updated 'should return paginated conversations' test to mock the new SQL CTE response shape (pre-aggregated summary rows) instead of raw message rows. All 41 conversation tests pass.
* feat: quiet mode per-channel via bot mention (#173) - Add quietMode.js module with Redis+memory storage - Parse duration from natural language (30m, 1 hour, etc.) - Permission gated via config.quietMode.allowedRoles - Commands: quiet, unquiet, status - Suppress AI responses during quiet mode in events.js - Add quietMode section to config.json (disabled by default) - Add quietMode to configAllowlist.js for dashboard editing * test: add quiet mode tests (41 tests, all passing) * style: fix biome formatting in quietMode.js, events.js, and test * fix(web): fix ai-feedback-stats TypeScript and formatting errors * fix: gate quiet mode checks on enabled flag, validate TTL, honor maxDurationMinutes config - events.js: Wrap isQuietMode() calls in guildConfig.quietMode?.enabled check to avoid unnecessary Redis lookups and prevent stale records from suppressing AI responses when the feature is disabled (PRRT_kwDORICdSM5xdbmp, PRRT_kwDORICdSM5xdbmx) - quietMode.js: Add TTL validation in setQuiet() to guard against 0, negative, or NaN values that would error in Redis (PRRT_kwDORICdSM5xdbm3) - quietMode.js: Update parseDurationFromContent() to accept config parameter and honor guildConfig.quietMode.maxDurationMinutes. Also clamp defaultSeconds to the effective max (PRRT_kwDORICdSM5xdbm_) - configValidation.js: Add quietMode schema entry with enabled, maxDurationMinutes, and allowedRoles properties (PRRT_kwDORICdSM5xdbnH) * style: fix biome formatting in quietMode.js and ai-feedback-stats.tsx
…t stream (#215) * feat: audit log improvements — CSV/JSON export, real-time WebSocket stream - Add GET /:id/audit-log/export endpoint (CSV and JSON, up to 10k rows) - Add /ws/audit-log WebSocket server for real-time audit entry broadcast - Refactor buildFilters() shared helper to eliminate duplication - Hook broadcastAuditEntry() into insertAuditEntry (RETURNING id+created_at) - Wire setupAuditStream/stopAuditStream into startServer/stopServer lifecycle - Add escapeCsvValue/rowsToCsv helpers with full test coverage - 30 route tests + 17 WebSocket stream tests, all green Closes #136 * fix: PR #215 review feedback - audit stream fixes - ws.ping() crash: guard with readyState check + try/catch to avoid crashing heartbeat interval when socket not OPEN - stopAuditStream race: make setupAuditStream async and await stopAuditStream() to prevent concurrent WebSocketServer creation - Query param array coercion: add typeof === 'string' checks for startDate/endDate to handle Express string|string[]|undefined - CSV CRLF quoting: add \r to RFC 4180 special-char check for proper Windows line ending handling - Test timeouts: make AUTH_TIMEOUT_MS configurable via AUDIT_STREAM_AUTH_TIMEOUT_MS env var, use 100ms in tests
… export (#212) * feat: add voice_sessions migration (#135) * feat: add voice tracking module — join/leave/move/flush/leaderboard (#135) * feat: wire voiceStateUpdate handler into event registration (#135) * feat: add /voice command — leaderboard, stats, export subcommands (#135) * feat: add voice config defaults to config.json (#135) * feat: wire voice flush start/stop into bot lifecycle (#135) * feat: add voice to config API allowlist (#135) * fix: SQL UPDATE subquery for closeSession, fix import order (#135) * fix(voice): resolve race conditions and missing config schema - Fix openSession: update in-memory state only AFTER DB INSERT succeeds - Fix closeSession: delete from in-memory state only AFTER DB UPDATE succeeds - Fix: allow closeSession on leave/move even when feature is disabled - Fix migration: add UNIQUE constraint to partial index to prevent duplicates - Fix: move 'Voice join' log to after openSession succeeds - Add voice config to CONFIG_SCHEMA for validation --------- Co-authored-by: Bill <bill@example.com>
* feat(dashboard): replace manual save with auto-save (500ms debounce)
- Remove 'Save Changes' button; saving now fires automatically 500ms
after the last config change (no changes → no network call)
- Add saveStatus state ('idle' | 'saving' | 'saved' | 'error') with
AutoSaveStatus component showing spinner, check, or error+retry
- Add isLoadingConfigRef guard so the initial fetchConfig load never
triggers a spurious PATCH
- Ctrl+S still works: clears debounce timer and saves immediately
- Keep 'beforeunload' warning for validation errors that block save
- Replace yellow unsaved-changes banner with a destructive validation
error banner (only shown when save is actually blocked)
- Error state shows 'Save failed' + 'Retry' button for user recovery
Closes #189
* test(dashboard): add auto-save tests for ConfigEditor
- No PATCH on initial config load
- Validation error banner suppresses auto-save
- 'Saving...' spinner visible while PATCH in-flight
- 'Save failed' + Retry button on PATCH error
* fix(dashboard): prevent fetchConfig from overwriting saveStatus after successful save
Add skipSaveStatusReset parameter to fetchConfig so that post-save reloads
preserve the 'saved' status indicator instead of immediately resetting to 'idle'.
* test(dashboard): use fake timers, restore vi.stubGlobal, fix assertions, add idle/saved coverage
- Replace real setTimeout delays with vi.useFakeTimers() + vi.advanceTimersByTimeAsync()
for deterministic, fast debounce tests
- Add afterEach cleanup: vi.unstubAllGlobals() + vi.useRealTimers()
- Replace toBeTruthy() with toBeInTheDocument() for Testing Library queries
- Add idle state test (no status indicator shown after load)
- Add saved state test (shows 'Saved' after successful save)
- Update file-level comment to list all four states
---------
Co-authored-by: Bill Chirico <bill@volvox.gg>
* feat: reaction role menus - core module, command, event hooks, migration Implements issue #162: reaction role menus. - Add migration 004 creating reaction_role_menus and reaction_role_entries tables - Add src/modules/reactionRoles.js with DB helpers, embed builder, event handlers - Add src/commands/reactionrole.js with /reactionrole create|add|remove|delete|list - Wire handleReactionRoleAdd/Remove into registerReactionHandlers in events.js Roles are granted on reaction add and revoked on reaction remove. All mappings persist in PostgreSQL across bot restarts. * test: reaction role menus - 40 tests covering module and command - tests/modules/reactionRoles.test.js: resolveEmojiString, buildReactionRoleEmbed, all DB helpers, handleReactionRoleAdd, handleReactionRoleRemove - tests/commands/reactionrole.test.js: all 5 subcommands (create, add, remove, delete, list) including error paths and guild ownership checks - Fix biome lint: import sort order + unused import removal * fix: remove unused import in reactionrole command --------- Co-authored-by: Bill Chirico <bill@volvox.gg>
…198) * fix(security): validate GitHub owner/repo format before gh CLI call Prevents API path traversal by validating owner/repo segments against a strict allowlist regex before interpolating them into the gh CLI invocation. Adds: - VALID_GH_NAME regex (/^[a-zA-Z0-9._-]+$/) - isValidGhRepo() helper (exported for testing) - Guard in fetchRepoEvents() — returns [] and warns on invalid input - Strengthened guard in pollGuildFeed() split logic Fixes #160 * test(security): add validation tests for GitHub owner/repo format Covers isValidGhRepo(), VALID_GH_NAME regex, and fetchRepoEvents() validation guard introduced in fix for #160. 19 new tests verify: - Valid alphanumeric/dot/hyphen/underscore names pass - Path traversal (../../etc/passwd) is rejected at both entry points - Slashes, empty strings, non-strings, spaces all rejected - Shell metacharacters (; && $()) blocked - gh CLI is NOT invoked when validation fails - warn() fires with the invalid values (observable audit trail) - Valid owner/repo still reach gh CLI unchanged * fix(security): reject pure-dot owner/repo names to prevent path traversal * test(githubFeed): add tests for pure-dot path traversal bypass --------- Co-authored-by: Bill Chirico <bill@volvox.gg>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
setupAuditStream() is async, but it's being called without await. Errors thrown inside the async function will become a rejected Promise and will not be caught by this try/catch, potentially causing an unhandled rejection. Either await setupAuditStream(server) here (and make the enclosing callback async-safe), or use void setupAuditStream(server).catch((err) => error(...)) to reliably handle failures.
There was a problem hiding this comment.
MessageReaction.remove() removes the entire reaction from the message (i.e., all users’ reactions for that emoji), not just the bot’s own reaction. This could unintentionally clear reactions from members. To remove only the bot’s reaction, use existing.users.remove() (or msg.reactions.resolve(...).users.remove(client.user.id)) and ensure you have access to the bot user id.
| if (existing && interaction.client.user) { | |
| await existing.users.remove(interaction.client.user.id); | |
| } |
There was a problem hiding this comment.
The conversation summary id is derived from MIN(id), which is not guaranteed to correspond to the first message chronologically (especially if inserts can arrive out-of-order). Since downstream endpoints/tests treat this as the conversation anchor, compute the id from created_at ordering instead (e.g., (ARRAY_AGG(id ORDER BY created_at))[1]) to keep id consistent with first_msg_time/preview_content.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| import { startVoiceFlush, stopVoiceFlush } from './modules/voice.js'; | ||
| import { fireEventAllGuilds } from './modules/webhookNotifier.js'; | ||
| import { closeRedisClient as closeRedis, initRedis } from './redis.js'; | ||
| import { pruneOldLogs } from './transports/postgres.js'; |
There was a problem hiding this comment.
Redis import removed but closeRedis() (line 352) and initRedis() (line 419) still called — will cause ReferenceError at runtime
| import { pruneOldLogs } from './transports/postgres.js'; | |
| import { closeRedisClient as closeRedis, initRedis } from './redis.js'; |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/index.js
Line: 56
Comment:
Redis import removed but `closeRedis()` (line 352) and `initRedis()` (line 419) still called — will cause `ReferenceError` at runtime
```suggestion
import { closeRedisClient as closeRedis, initRedis } from './redis.js';
```
How can I resolve this? If you propose a fix, please make it concise.
Summary
Fixes a prompt injection vulnerability in
buildConversationText()where user-controlled message content was inserted verbatim between XML-style delimiter tags.A crafted message like:
...could break out of the user-content section and inject instructions into the prompt structure.
Changes
src/modules/triage-prompt.js— AddedescapePromptDelimiters(text)that replaces<→<and>→>in user-supplied strings. Applied tom.contentandm.replyTo.contentinsidebuildConversationText().tests/modules/triage-prompt.test.js— 13 new tests covering the escape function (normal text, empty, non-string passthrough, multi-occurrence) and prompt injection scenarios (closing delimiter in content, closing delimiter in reply excerpt, structural tags preserved).Test Results
Closes #164