[spark-compete] fix: remove internal path leaks from CLI print statements#1429
Open
Esc1200 wants to merge 1 commit into
Open
[spark-compete] fix: remove internal path leaks from CLI print statements#1429Esc1200 wants to merge 1 commit into
Esc1200 wants to merge 1 commit into
Conversation
Replace 6 print statements that leaked local filesystem paths with generic descriptions. Paths for support bundles, workspace, doctor prompt, doctor report, and upstream PR candidate are now omitted. Closes: esc1200/fix/doctor-path-leak
Esc1200
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[spark-compete] fix: remove internal path leaks from CLI print statements
Summary
Replaces 6 print statements in
src/spark_cli/cli.pythat leaked local filesystem paths with generic descriptions.Changes
All 6 print statements now emit generic status messages (e.g.
[OK] Wrote local redacted support bundle.) instead of interpolating the path variable. Files are still written to the same locations; only the printed output changes.Locations fixed
Spark Compete Packet (spark-compete-hotfix-v1)
{"schema":"spark-compete-hotfix-v1","event":"spark-compete-first-event","submission_mode":"public_repo_pr","submission_target_url":"https://github.com/vibeforge1111/spark-cli/pull/1429","team":{"name":"Bug Hunters","members":["Esc1200","ZakJan777","dara917"],"llm_device_holder":"Esc1200","device_holder_github":"https://github.com/Esc1200","github_accounts":["Esc1200","ZakJan777","dara917"]},"target_repo":{"id":"vibeforge1111/spark-cli","source":"https://github.com/vibeforge1111/spark-cli","owner_surface":"spark-cli"},"issue":{"type":"bug","title":"CLI print statements leak internal filesystem paths","severity":"medium","actual_behavior":"Six print statements in src/spark_cli/cli.py interpolate local filesystem paths into terminal output. Support bundle paths (line 8229), support bundle paths in revoke output (line 8761), workspace directory paths (line 9924), doctor prompt file paths (line 10964), doctor report file paths (line 10981), and upstream PR candidate file paths (line 10991) are all printed verbatim via f-strings. This leaks usernames, project names, and internal directory structures when terminal output is shared or captured in support bundles.","expected_behavior":"Print statements should emit generic status messages without revealing the underlying file path. Users who need the path can find the file in the expected location.","repro_steps":["Run 'spark support' and observe the full local path printed for the redacted support bundle (line ~8229).","Run 'spark security revoke-all' and observe the support bundle path printed (line ~8761).","Run 'spark access' and observe the workspace directory path printed (line ~9924).","Run 'spark doctor --prompt-out <file>' and observe the prompt file path printed (line ~10964).","Run 'spark doctor --save-report' and observe the report file path printed (line ~10981).","Run 'spark doctor --upstream-report' and observe the upstream PR candidate path printed (line ~10991)."],"affected_workflow":"Any CLI output shared in logs, screenshots, or support bundles may inadvertently expose internal filesystem paths including usernames and project directory structures."},"evidence":{"safe_links_only":true,"before_after_proof":"Before: print(f\"[OK] Wrote local redacted support bundle: {path}\") leaks the full local path. After: print(\"[OK] Wrote local redacted support bundle.\") with no path exposure. Same pattern applied to all 6 locations across support bundle, workspace, doctor prompt, doctor report, and upstream PR output.","links":["https://github.com/vibeforge1111/spark-cli/pull/1429/files"],"forbidden":["pdf","zip","exe","unknown downloads","shortened links","archives","binaries","tokens","browser cookies","wallet material","raw logs","raw conversations","raw memory","raw patches","private repo maps","private scoring details"]},"proposed_fix":{"approach":"Replace 6 print statements that interpolate path variables with static generic messages. Files are still written to the same locations; only the printed output changes. No behavioral change to file creation or content.","files_expected":["src/spark_cli/cli.py"],"tests_or_smoke":"Grep cli.py for path-leaking f-strings in print statements targeting support_bundle_path, workspace_path, prompt_path, report path, and upstream_path. Confirm all 6 lines now use static strings without path interpolation. No existing tests are broken since the change only affects terminal output, not file behavior."},"pr":{"url":"https://github.com/vibeforge1111/spark-cli/pull/1429","body_must_include":["packet","team","pr_author","repo","actual_behavior","expected_behavior","repro_steps","before_after_proof","tests_or_smoke","duplicate_notes","risk_notes","review_claim"],"branch":"esc1200/fix/doctor-path-leak","title_prefix":"[spark-compete]","author_github":"https://github.com/Esc1200"},"review_claim":{"impact_claim":"medium","evidence_types":["passing_test","redacted_terminal_excerpt"],"duplicate_notes":"Searched open and closed PRs in vibeforge1111/spark-cli for similar path leak fixes in print statements; none found.","risk_notes":"Minimal change — only replaces f-string print statements with static strings. No behavioral change to file creation, file content, or CLI logic. No secrets, CI workflows, dependency files, or prompt surfaces changed.","review_state_requested":"pr_review"}}PR Author
Repo
Actual Behavior
Six print statements in src/spark_cli/cli.py interpolate local filesystem paths into terminal output, leaking usernames, project names, and internal directory structures.
Expected Behavior
Print statements should emit generic status messages without revealing the underlying file path.
Repro Steps
spark support— full local path printed for the redacted support bundle (line ~8229)spark security revoke-all— support bundle path printed (line ~8761)spark access— workspace directory path printed (line ~9924)spark doctor --prompt-out <file>— prompt file path printed (line ~10964)spark doctor --save-report— report file path printed (line ~10981)spark doctor --upstream-report— upstream PR candidate path printed (line ~10991)Before/After Proof
Before:
print(f"[OK] Wrote local redacted support bundle: {path}")leaks the full local path.After:
print("[OK] Wrote local redacted support bundle.")with no path exposure.Same pattern applied to all 6 locations.
Tests / Smoke
Grep cli.py for path-leaking f-strings in print statements. Confirm all 6 lines now use static strings. No existing tests broken — change only affects terminal output.
Duplicate Notes
Searched open and closed PRs in vibeforge1111/spark-cli for similar path leak fixes in print statements; none found.
Risk Notes
Minimal change — only replaces f-string print statements with static strings. No behavioral change to file creation, file content, or CLI logic. No secrets, CI workflows, dependency files, or prompt surfaces changed.
Review Claim