fix(settings): accept [bot]-suffixed logins in contributorBlacklist#6233
Conversation
contributor-blacklist's GITHUB_LOGIN pattern rejected any login ending in
[bot], so a maintainer configuring
settings.contributorBlacklist: [{login: "evilbot[bot]"}] got it silently
dropped with a generic 'not a valid GitHub login' warning — even though
bot accounts are a documented abuse vector and the sibling
auto-close-exempt.ts already accepts the same [bot] App-actor shape for
exemptions.
Extend GITHUB_LOGIN with the same optional (?:\[bot\])? suffix
auto-close-exempt.ts uses. The implementation lives in the
@loopover/engine copy (the src/ file is now a re-export shim after JSONbored#6201),
so the single edit covers both surfaces. Malformed bot-ish logins (bare
[bot], doubled suffix, wrong-case, mid-string brackets) are still dropped.
Regression tests in both suites assert a blacklisted something[bot] author
is actually matched by isAuthorBlacklisted.
Closes JSONbored#6190
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6233 +/- ##
=======================================
Coverage 95.35% 95.35%
=======================================
Files 598 598
Lines 47102 47102
Branches 14988 14988
=======================================
Hits 44913 44913
Misses 1464 1464
Partials 725 725
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
Tip ✅ LoopOver review result - approve/merge recommendedReview updated: 2026-07-15 23:39:37 UTC
Review summary Nits — 3 non-blocking
Decision drivers
Context & advisory signals — never blocks the verdict
Linked issue satisfactionAddressed Review context
Contributor next steps
Signal definitions
🧪 Chat with LoopOverAsk LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/loopover-commands 🧪 Experimental — new and may change. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.
|
Summary
contributor-blacklist'sGITHUB_LOGINpattern rejected any login ending in[bot], so a maintainer configuringsettings.contributorBlacklist: [{login: "evilbot[bot]"}]had it silently dropped with a generic "not a valid GitHub login" warning. Bot accounts are a documented abuse vector (PROTECTED_AUTOCLOSE_AUTHORSinagent-actions.ts), and the siblingauto-close-exempt.tsalready deliberately accepts the same trailing[bot]App-actor shape for exemptions — so blacklisting one should work too.Change
Extend
GITHUB_LOGINwith the same optional(?:\[bot\])?suffixauto-close-exempt.tsuses. The implementation lives in the@loopover/enginecopy (src/settings/contributor-blacklist.tsis a re-export shim after #6201), so the single edit covers both surfaces.auto-close-exempt.tsis left unchanged — it's the reference pattern.Enforcement + tests
Regression tests in both suites assert a
something[bot]login is (a) kept bynormalizeContributorBlacklistand (b) actually matched end-to-end byisAuthorBlacklisted/findBlacklistEntry(case-insensitively), while malformed bot-ish logins (bare[bot], doubled suffix, wrong-case, mid-string brackets) are still dropped. Both blacklist suites (33 tests) +tscgreen.Closes #6190