Add internal apply_patch command with whitespace-tolerant patching #46
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ensureFileState := func(relativePath string, create bool) (*fileState, error) { | ||
| cleanedRel := strings.TrimSpace(relativePath) | ||
| if cleanedRel == "" { | ||
| return nil, errors.New("apply_patch: empty file path in patch") | ||
| } | ||
| absPath, err := filepath.Abs(filepath.FromSlash(cleanedRel)) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("apply_patch: failed to resolve %s: %w", relativePath, err) | ||
| } |
There was a problem hiding this comment.
ensureFileState resolves whatever path the patch supplies to an absolute path and then proceeds to read/write it without checking that it lies under the agent’s workspace. A patch like *** Update File: ../../etc/passwd will therefore touch files outside the repository. Because this internal command is intended to be a safe alternative to shell access, allowing arbitrary path traversal is a security foot‑gun. Consider rejecting paths that escape the workspace root or resolving relative to a fixed base directory before touching the filesystem.
Useful? React with 👍 / 👎.
Summary
apply_patchinternal command that applies headless diff patches and can optionally ignore whitespace differencesTesting
https://chatgpt.com/codex/tasks/task_e_68fdd91ba6448328800cd2be4ef933ac