fix(engine): don't throw rendering a track record for a login containing a blocklisted word (#6772)#6808
Conversation
…ing a blocklisted word (JSONbored#6772) PUBLIC_FIELD_BLOCKLIST exists to catch leaked COMPUTED fields, but renderTrackRecordSummaryMarkdown scanned the whole rendered block including the GitHub login line. A hyphen is a legal username character, so a real login like team-wallet / payout-bot / coldkey-labs matches a word-boundary pattern and threw on that contributor's own summary. Compose the identity line after the scan and re-insert it at its original position: output is byte-identical for ordinary logins, and every computed field (labels, evidence, counts) still fails closed. Closes JSONbored#6772
|
🚨 Contributor flagged. Click here for more info: Superagent Dashboard |
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6808 +/- ##
==========================================
+ Coverage 93.63% 93.73% +0.09%
==========================================
Files 683 683
Lines 68148 68149 +1
Branches 18703 18703
==========================================
+ Hits 63812 63881 +69
+ Misses 3350 3255 -95
- Partials 986 1013 +27
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
Warning ⏸️ LoopOver review result - manual review recommendedReview updated: 2026-07-17 07:41:42 UTC
Review summary Nits — 5 non-blocking
Flagged checks (non-blocking)
Decision drivers
Context & advisory signals — never blocks the verdict
Review context
Contributor next steps
Signal definitions
🧪 Chat with LoopOverAsk LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://loopover.ai/docs/loopover-commands 🧪 Experimental — new and may change. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.
|
JSONbored
left a comment
There was a problem hiding this comment.
Please find a better implementation:
The splice(2, 0, ...) approach is a bit fragile since it depends on the scannedLines array always having exactly 2 lines before the insertion point
Summary
PUBLIC_FIELD_BLOCKLISTcatches leaked computed fields, butrenderTrackRecordSummaryMarkdownranassertPublicSummaryTextover the whole rendered block — including the- GitHub login:identity line.team-wallet,payout-bot, orcoldkey-labsmatches a word-boundary pattern (/\bwallet\b/iu, …) and threw while rendering that contributor's own summary.assertPublicSummaryText, so a genuinely-injected blocked term still fails closed.Closes #6772
Test plan
test/unit/track-record-summary-login-blocklist.test.ts(5 cases) — required for Codecov, since this module's only prior coverage was the engine'snode --testsuite, which Codecov never sees:team-wallet,payout-bot,coldkey-labs,hotkey-ops,reward-guild,ranking-labsall render instead of throwing.npm run test --workspace @loopover/enginegreen — 588 pass / 0 fail (the existing injection test unchanged).npm run typecheckclean.