fix: validate reviewAgentLogPath to prevent path injection

[msukkari]

Summary

This PR addresses CodeQL security alerts #18 and #19 for js/path-injection in the review agent log writing functionality.

Changes

Added path validation in invokeDiffReviewLlm to ensure the reviewAgentLogPath parameter stays within the expected review-agent directory. The validation:

1. Resolves the provided path to an absolute path using path.resolve()
2. Verifies the resolved path starts with the expected base directory (DATA_CACHE_DIR/review-agent/)
3. Throws an error if the path escapes the log directory

This single guard covers both fs.appendFileSync calls in the function (lines 36 and 49), preventing potential path traversal attacks.

Security Context

While the current risk is low (since pullRequest.number is an integer from the GitHub webhook payload), this validation provides defense-in-depth against future code changes that might introduce different data sources for path construction.

Testing

• Lint passes
• All 391 existing tests pass

Fixes #931

Linear Issue: SOU-931

  

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: af5e67fa-b6ab-4e02-954a-f23640a01542

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-path-injection-review-agent-eb42

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}