Skip to content

fix: codeql issue for insecure temporary file#16173

Open
qinzhouxu wants to merge 6 commits into
devfrom
qinzhouxu/codeql
Open

fix: codeql issue for insecure temporary file#16173
qinzhouxu wants to merge 6 commits into
devfrom
qinzhouxu/codeql

Conversation

@qinzhouxu

@qinzhouxu qinzhouxu commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

❌ VscUse Test Plan — Tests unknown

Why these tests: Changed files are in packages/fx-core (core utility/security fix, not vscode-extension or templates), which is an infrastructure/non-template change, so only 2 smoke plans are selected as a basic sanity check.

Branch diff: qinzhouxu/codeqldev

Plans run:

  • Basic_Custom_Engine_Azure_OpenAI_ts_Copilot_Remote_Debug
  • General_Teams_Agent_OpenAI_py_Remote_Debug
Step Status
1️⃣ Build VSIX (CD) ✅ Done
2️⃣ Build Docker image ✅ Done
3️⃣ Run UI tests ❌ Tests unknown
ℹ️ How were these tests selected?

GitHub Copilot (Claude Sonnet 4.6, high reasoning) analysed the PR title, description, and the diff between
qinzhouxu/codeql and dev
to pick the most relevant test plans from packages/tests/vscuse/Index.md.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 17, 2026
View reviewed changes
Comment thread packages/fx-core/src/component/utils/settingsUtil.ts
appYaml.add(projectIdField);
await fs.writeFile(projectYamlPath, appYaml.toString()); // only write yaml file once instead of write yaml file after every command
if (!this.isInTempDirectory(projectYamlPath)) {
await fs.writeFile(projectYamlPath, appYaml.toString());
Comment thread packages/fx-core/src/component/utils/settingsUtil.ts
appYaml.set("projectId", settings.trackingId);
await fs.writeFile(projectYamlPath, appYaml.toString());
if (!this.isInTempDirectory(projectYamlPath)) {
await fs.writeFile(projectYamlPath, appYaml.toString());
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

E2E Test Selection — AI Selected

Why these tests: Changes to fx-core ManifestUtils.ts (teamsApp manifest handling) and settingsUtil.ts (cross-cutting core utility) map to teamsApp/, teamsAgent/, declarativeAgent/, and feature/multienv per rule 1; ManifestUtils is specifically used in manifest validation across all app types including declarative agents.

Cases selected (21):

  • ./teamsApp/basicBot.tests.ts
  • ./teamsApp/basicMessageExtension.tests.ts
  • ./teamsApp/basicTab.tests.ts
  • ./teamsAgent/DebugCustomCopilotBasicBot.tests.ts
  • ./teamsAgent/teamsCollaboratorAgent.tests.ts
  • ./teamsAgent/DebugCustomCopilotRagAiSearchBot.tests.ts
  • ./teamsAgent/DebugCustomCopilotRagBasicBot.tests.ts
  • ./declarativeAgent/DeclarativeAgentBasic.tests.ts
  • ./declarativeAgent/DeclarativeAgentWithApiKeyAuth.tests.ts
  • ./declarativeAgent/DeclarativeAgentWithOAuth.tests.ts
  • ./declarativeAgent/DeclarativeAgentInvalidManifestShape.tests.ts
  • ./declarativeAgent/mcp/DeclarativeAgentMCPNoAuth.tests.ts
  • ./declarativeAgent/mcp/DeclarativeAgentMCPAuthEdgeCases.tests.ts
  • ./declarativeAgent/mcp/DeclarativeAgentMCPWithAuth.tests.ts
  • ./declarativeAgent/DeclarativeAgentWithEntra.tests.ts
  • ./declarativeAgent/typespec/typespec.withoutAction.tests.ts
  • ./declarativeAgent/typespec/typespec.withAction.tests.ts
  • ./declarativeAgent/DeclarativeAgentWithNoneAuth.tests.ts
  • ./declarativeAgent/addKnowledge/AddWebSearchByAll.tests.ts
  • ./declarativeAgent/addKnowledge/AddWebSearchByUrl.tests.ts
  • ./feature/multienv.tests.ts

View pipeline run

Need to run more tests?

Comment on this PR:

  • /e2e-run ./path/to/test.tests.ts — add specific cases to AI selection
  • /e2e-run-all — run all e2e cases

Then re-run the workflow.

@qinzhouxu qinzhouxu requested a review from Copilot June 17, 2026 08:29
@qinzhouxu @github-advanced-security
Potential fix for pull request finding 'CodeQL / Insecure temporary f…
ee4afac 
…ile'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

❌ VscUse Test Plan — Tests unknown

Why these tests: Changed files are in packages/fx-core (core utility/driver code, not templates or vscode-extension UI), which is a cross-cutting infrastructure fix; applying 2 smoke plans as a basic sanity check.

Branch diff: qinzhouxu/codeqldev

Plans run:

  • Basic_Custom_Engine_Azure_OpenAI_ts_Copilot_Remote_Debug
  • General_Teams_Agent_OpenAI_py_Remote_Debug
Step Status
1️⃣ Build VSIX (CD) ✅ Done
2️⃣ Build Docker image ✅ Done
3️⃣ Run UI tests ❌ Tests unknown
ℹ️ How were these tests selected?

GitHub Copilot (Claude Sonnet 4.6, high reasoning) analysed the PR title, description, and the diff between
qinzhouxu/codeql and dev
to pick the most relevant test plans from packages/tests/vscuse/Index.md.

@qinzhouxu @github-advanced-security
Potential fix for pull request finding 'CodeQL / Insecure temporary f…
46fd5a1 
…ile'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

❌ VscUse Test Plan — Tests failure

Why these tests: Changed files are in packages/fx-core (core utility/infra fixes for insecure temp file, not VS Code extension or templates), so only 2 smoke plans are selected as a basic sanity check.

Branch diff: qinzhouxu/codeqldev

Plans run:

  • Basic_Custom_Engine_Azure_OpenAI_ts_Copilot_Remote_Debug
  • General_Teams_Agent_OpenAI_py_Remote_Debug
Step Status
1️⃣ Build VSIX (CD) ✅ Done
2️⃣ Build Docker image ✅ Done
3️⃣ Run UI tests ❌ Tests failure

🔗 Full pipeline results

ℹ️ How were these tests selected?

GitHub Copilot (Claude Sonnet 4.6, high reasoning) analysed the PR title, description, and the diff between
qinzhouxu/codeql and dev
to pick the most relevant test plans from packages/tests/vscuse/Index.md.

@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

✅ VscUse Test Plan — All tests passed

Why these tests: Changes are in packages/fx-core (core infra, not vscode-extension or templates), fixing a CodeQL security issue in utility files — treated as trivial/infra changes warranting only 1-2 smoke plans.

Branch diff: qinzhouxu/codeqldev

Plans run:

  • Basic_Custom_Engine_Azure_OpenAI_ts_Copilot_Remote_Debug
  • General_Teams_Agent_OpenAI_py_Remote_Debug
Step Status
1️⃣ Build VSIX (CD) ✅ Done
2️⃣ Build Docker image ✅ Done
3️⃣ Run UI tests ✅ All tests passed

🎯 Actual UI test run
🔗 Full pipeline results
📊 Detailed test report

ℹ️ How were these tests selected?

GitHub Copilot (Claude Sonnet 4.6, high reasoning) analysed the PR title, description, and the diff between
qinzhouxu/codeql and dev
to pick the most relevant test plans from packages/tests/vscuse/Index.md.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@tecton tecton Awaiting requested review from tecton tecton is a code owner
@HuihuiWu-Microsoft HuihuiWu-Microsoft Awaiting requested review from HuihuiWu-Microsoft HuihuiWu-Microsoft is a code owner
@qfai qfai Awaiting requested review from qfai qfai is a code owner
@wh-alice wh-alice Awaiting requested review from wh-alice wh-alice is a code owner
+1 more reviewer
@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments
Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@qinzhouxu @github-advanced-security