Skip to content

fix: strip null bytes from gateway.md before writing to step summary#39910

Merged
pelikhan merged 4 commits into
mainfrom
copilot/investigate-invalid-characters
Jun 17, 2026
Merged

fix: strip null bytes from gateway.md before writing to step summary#39910
pelikhan merged 4 commits into
mainfrom
copilot/investigate-invalid-characters

Conversation

Copilot AI commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Every gateway.md produced by MCPG (gh-aw-firewall) starts with 1444–1537 leading \x00 bytes — a pre-allocated header region that is never filled in. parse_mcp_gateway_log.cjs was writing this content directly to core.summary.addRaw(), and GitHub's HTML5 renderer replaces U+0000 → U+FFFD, producing hundreds of \uFFFD replacement characters at the top of every step summary.

Changes

  • parse_mcp_gateway_log.cjs — strip null bytes from gateway.md content immediately after reading: 
    const gatewayMdContent = fs.readFileSync(gatewayMdPath, "utf8").replace(/\x00/g, "");
  • parse_mcp_gateway_log.test.cjs — add regression test: writes a gateway.md with 1444 leading null bytes (matching production artifact) and asserts step-summary output contains no null bytes while preserving real content.

The upstream MCPG bug (header region never written) should be fixed separately in gh-aw-firewall. This is a defensive consumer-side sanitization.

Copilot AI and others added 2 commits June 17, 2026 22:05
@pelikhan
WIP: start investigating null bytes in step summary
2bb857a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: strip null bytes from gateway.md before writing to step summary
9d6f2fc 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan June 17, 2026 22:10
@pelikhan pelikhan marked this pull request as ready for review June 17, 2026 22:10
Copilot AI review requested due to automatic review settings June 17, 2026 22:10
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR defensively sanitizes gateway.md step-summary rendering by stripping null bytes (U+0000) from the gateway.md content before writing it to core.summary, preventing GitHub’s renderer from producing large blocks of U+FFFD replacement characters.

Changes:

  • Strip \x00 bytes from gateway.md content immediately after reading in parse_mcp_gateway_log.cjs.
  • Add a regression test that simulates MCPG’s leading null-byte header region and asserts the step summary contains no null bytes while preserving real content.
  • Update generated workflow lock config related to MCP safe-outputs server startup.
Show a summary per file
File Description
actions/setup/js/parse_mcp_gateway_log.cjs Sanitizes gateway.md content by removing null bytes before writing to the step summary.
actions/setup/js/parse_mcp_gateway_log.test.cjs Adds regression coverage for null-byte stripping behavior in step-summary output.
actions/setup-cli/install.sh Adjusts header comment about how this installer script is kept in sync.
.github/workflows/daily-formal-spec-verifier.lock.yml Updates generated MCP config snippet (safe-outputs entrypoint wrapper + env shaping).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2

Comment thread actions/setup/js/parse_mcp_gateway_log.test.cjs
Comment on lines +399 to +404
fs.existsSync = originalExistsSync;
fs.readFileSync = originalReadFileSync;
delete global.core;
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
Comment thread actions/setup-cli/install.sh Outdated
set +o histexpand

# Kept in sync with ../../install-gh-aw.sh — edit that file, then copy here.
# Kept in sync with actions/setup-cli/install.sh — edit this file, then copy to that path.
@pelikhan

pelikhan commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

@pelikhan
fix: move stub cleanup into finally block and fix self-referential co…
271d449 
…mment in install.sh

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

@copilot run pr-finisher skill

Done. Both issues from the automated review have been addressed in commit fix: move stub cleanup into finally block and fix self-referential comment in install.sh:

  1. Test cleanup in finally — removed the outer try block and moved fs.existsSync, fs.readFileSync, and global.core restores into the single finally block alongside the tmpDir cleanup. Stubs are now always restored regardless of assertion failures or exceptions.

  2. Self-referential commentactions/setup-cli/install.sh line 4 now reads # Kept in sync with install-gh-aw.sh — edit that file, then copy to this path., correctly pointing to the root install-gh-aw.sh as the source of truth.

All 10,710 JS tests pass locally.

@pelikhan pelikhan merged commit 5147cb1 into main Jun 17, 2026
14 checks passed
@pelikhan pelikhan deleted the copilot/investigate-invalid-characters branch June 17, 2026 23:16
@github-actions github-actions Bot mentioned this pull request Jun 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan