ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity

fix(validate-refs): also catch lowercase drive letters in leak check 

Following review feedback, widen the Windows branch to [A-Za-z] so
lowercase paths (c:\Users\...) are caught too. Kept a \b anchor so URL
schemes like https:// (which also contain "<letter>:/") aren't flagged —
a plain [A-Za-z] would have matched every URL in the docs.

Added lowercase and URL-not-flagged cases to the test (now 8/8).
This commit is contained in:
Zied Jlassi 2026-06-20 20:27:17 +02:00
parent 9c4dde977d
commit 3df821d26e
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
test/test-abs-path-leak.js
View File

@ -67,6 +67,16 @@ test('Windows forward-slash drive path is detected', () => {
assert(leakCount('See C:/Users/alex/notes.md for details.') === 1, 'C:/Users... not detected');
});
test('lowercase Windows drive path is detected', () => {
assert(leakCount('see c:\\Users\\alex\\notes.md') === 1, 'c:\\Users... not detected');
assert(leakCount('see c:/users/alex/notes.md') === 1, 'c:/users... not detected');
});
test('URLs are not flagged as drive-letter leaks', () => {
// https:// also contains "<letter>:/"; the \b in the pattern must exclude it.
assert(leakCount('docs at https://github.com/org/repo and http://example.com') === 0, 'URL falsely flagged');
});
test('Unix /Users path is detected', () => {
assert(leakCount('open /Users/alex/secret.md') === 1, '/Users path not detected');
});

7
tools/validate-file-refs.js
View File

@ -67,9 +67,10 @@ const STEP_META = /(?:thisStepFile|nextStepFile|continueStepFile|skipToStepFile|
const LOAD_DIRECTIVE = /Load[:\s]+`(\.[^`]+)`/g;
// Pattern: absolute path leaks
// Windows drive paths use a single separator (C:\Users or C:/Users). In a regex
// literal `\\` already matches one backslash, so the class matches either separator.
const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|[A-Z]:[\\/])/;
// Windows drive paths use a single separator (C:\Users or C:/Users) and the drive
// letter can be either case. The leading \b keeps URL schemes like https:// — which
// also contain "<letter>:/" — from matching. In a regex literal `\\` is one backslash.
const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|\b[A-Za-z]:[\\/])/;
// --- Output Escaping ---