feat: add pull request creation endpoint with GitHub CLI integration #8861
+711
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dosubot
bot
added
the
size:XL
|
✅ Review Complete Code Review Summary |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 3 files
Prompt for AI agents (all 3 issues)
Understand the root cause of the following 3 issues and fix them.
<file name="extensions/cli/src/commands/serve.ts">
<violation number="1" location="extensions/cli/src/commands/serve.ts:329">
`/pr` accepts untrusted JSON and feeds it into createPullRequest, which constructs `gh pr create` via string concatenation and executes it with `child_process.exec`, allowing remote command injection via crafted title/body/base values.</violation>
<violation number="2" location="extensions/cli/src/commands/serve.ts:419">
Rule violated: **Don't use console.log**
The newly added POST /pr endpoint announcement uses console.log instead of the project logger, violating the "Don't use console.log" rule. Use logger.info/logger.warn for all runtime logging to keep output centralized and configurable.</violation>
</file>
<file name="extensions/cli/src/commands/pr.ts">
<violation number="1" location="extensions/cli/src/commands/pr.ts:91">
User-supplied PR metadata is interpolated into a shell command (`execAsync("gh …")`), allowing command injection and even breaking when titles/bodies contain spaces. Use spawn/execFile with an argument array instead of building a shell string.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| state.lastActivity = Date.now(); | ||
|
|
||
| try { | ||
| const options: PrOptions = req.body; |
Contributor
There was a problem hiding this comment.
/pr accepts untrusted JSON and feeds it into createPullRequest, which constructs gh pr create via string concatenation and executes it with child_process.exec, allowing remote command injection via crafted title/body/base values.
Prompt for AI agents
Address the following comment on extensions/cli/src/commands/serve.ts at line 329:
<comment>`/pr` accepts untrusted JSON and feeds it into createPullRequest, which constructs `gh pr create` via string concatenation and executes it with `child_process.exec`, allowing remote command injection via crafted title/body/base values.</comment>
<file context>
@@ -320,6 +321,40 @@ export async function serve(prompt?: string, options: ServeOptions = {}) {
+ state.lastActivity = Date.now();
+
+ try {
+ const options: PrOptions = req.body;
+ logger.info("Creating pull request", { options });
+
</file context>
Contributor
There was a problem hiding this comment.
4 issues found across 3 files
Prompt for AI agents (all 4 issues)
Understand the root cause of the following 4 issues and fix them.
<file name="extensions/cli/src/commands/pr.ts">
<violation number="1" location="extensions/cli/src/commands/pr.ts:116">
User-controlled base is interpolated into a git log shell command executed via execAsync, enabling command injection. Use execFile with argument arrays or strictly validate allowed branch names before executing git.</violation>
</file>
<file name="extensions/cli/src/commands/pr.test.ts">
<violation number="1" location="extensions/cli/src/commands/pr.test.ts:17">
Mocked `child_process` never exposes `execFile`, so importing the module under test throws before any test runs.</violation>
<violation number="2" location="extensions/cli/src/commands/pr.test.ts:121">
The `execMock` implementations use an `exec`-style signature, but the code under test calls `execFile(file, args, options, callback)`, so callbacks are never invoked and the command matching logic never triggers.</violation>
</file>
<file name="extensions/cli/src/commands/serve.ts">
<violation number="1" location="extensions/cli/src/commands/serve.ts:419">
Rule violated: **Don't use console.log**
Replace this new console.log with the shared logger (e.g., logger.info) to comply with the “Don’t use console.log” rule for server output.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
…edev/continue into nate/add-pr-endpoint-cli
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Add POST /pr endpoint to create GitHub pull requests via the GitHub CLI. Validates repo state, auto-fills title/body, and returns the PR URL.
New Features
Refactors
Written for commit d3cba54. Summary will update automatically on new commits.