fix: use original title from webhook payload instead of fetched title (#793)

* fix: use original title from webhook payload instead of fetched title - Add extractOriginalTitle() helper to extract title from webhook payload - Add originalTitle parameter to fetchGitHubData() - Update tag mode to pass original title from webhook context - Add tests for extractOriginalTitle and originalTitle parameter This ensures the title used in prompts is the one that existed when the trigger event occurred, rather than a potentially modified title fetched later via GraphQL. * fix: add title sanitization and explicit TOCTOU test - Apply sanitizeContent() to titles in formatContext() for defense-in-depth - Add explicit test documenting TOCTOU prevention for title handling
2026-01-22 22:44:13 +08:00 · 2026-01-07 23:45:12 +05:30
parent c83d67a9b9
commit 964b8355fb
4 changed files with 195 additions and 2 deletions
--- a/src/github/data/fetcher.ts
+++ b/src/github/data/fetcher.ts
@@ -3,6 +3,8 @@ import type { Octokits } from "../api/client";
 import { ISSUE_QUERY, PR_QUERY, USER_QUERY } from "../api/queries/github";
 import {
  isIssueCommentEvent,
+  isIssuesEvent,
+  isPullRequestEvent,
  isPullRequestReviewEvent,
  isPullRequestReviewCommentEvent,
  type ParsedGitHubContext,
@@ -40,6 +42,31 @@ export function extractTriggerTimestamp(
  return undefined;
 }

+/**
+ * Extracts the original title from the GitHub webhook payload.
+ * This is the title as it existed when the trigger event occurred.
+ *
+ * @param context - Parsed GitHub context from webhook
+ * @returns The original title string or undefined if not available
+ */
+export function extractOriginalTitle(
+  context: ParsedGitHubContext,
+): string | undefined {
+  if (isIssueCommentEvent(context)) {
+    return context.payload.issue?.title;
+  } else if (isPullRequestEvent(context)) {
+    return context.payload.pull_request?.title;
+  } else if (isPullRequestReviewEvent(context)) {
+    return context.payload.pull_request?.title;
+  } else if (isPullRequestReviewCommentEvent(context)) {
+    return context.payload.pull_request?.title;
+  } else if (isIssuesEvent(context)) {
+    return context.payload.issue?.title;
+  }
+
+  return undefined;
+}
+
 /**
 * Filters comments to only include those that existed in their final state before the trigger time.
 * This prevents malicious actors from editing comments after the trigger to inject harmful content.
@@ -146,6 +173,7 @@ type FetchDataParams = {
  isPR: boolean;
  triggerUsername?: string;
  triggerTime?: string;
+  originalTitle?: string;
 };

 export type GitHubFileWithSHA = GitHubFile & {
@@ -169,6 +197,7 @@ export async function fetchGitHubData({
  isPR,
  triggerUsername,
  triggerTime,
+  originalTitle,
 }: FetchDataParams): Promise<FetchDataResult> {
  const [owner, repo] = repository.split("/");
  if (!owner || !repo) {
@@ -354,6 +383,11 @@ export async function fetchGitHubData({
    triggerDisplayName = await fetchUserDisplayName(octokits, triggerUsername);
  }

+  // Use the original title from the webhook payload if provided
+  if (originalTitle !== undefined) {
+    contextData.title = originalTitle;
+  }
+
  return {
    contextData,
    comments,