[HIGH] summary/core.py: prompt.format(diff=diff) crashes on diffs containing curly braces #11

New issue

Closed

opened 2026-05-19 04:42:47 +00:00 by foravo_admin · 1 comment

foravo_admin commented

2026-05-19 04:42:47 +00:00

Owner

Imported from GitHub issue M00C1FER/mesh-review#2.

Source: https://github.com/M00C1FER/mesh-review/issues/2
Original author: @M00C1FER
Original state: closed

Finding 1 — HIGH

File: src/mesh_review/summary/core.py
Function: _shell_runner() → inner run() closure
Commit fixing this: 834f8d8441226ac383868a9cb8ac5c69b650581e (PR #1)

Description

The default summary prompt template contains {diff} and is expanded using:

full_prompt = prompt.format(diff=diff)

Any diff that contains a literal curly-brace sequence (e.g., {HEAD} in git conflict markers, JSON payloads, Python f-strings, shell variable expansions) causes Python's str.format() to raise KeyError or ValueError, crashing the summarization run for all configured CLIs.

Impact

Every mesh-review summary run on a diff containing { or } raises an unhandled exception and exits with a traceback, producing no output.
This is the most common case in practice: JavaScript/TypeScript/Python diffs routinely contain {}, JSON responses, f-strings, etc.

Fix Applied

Switched to prompt.replace("{diff}", diff) which is a literal string substitution and does not interpret {...} tokens in the diff.

# Before
full_prompt = prompt.format(diff=diff)

# After
full_prompt = prompt.replace("{diff}", diff)

References

review/core.py:_shell_runner already used .replace() correctly — this was an inconsistency between the two mirrors.

Imported from GitHub issue `M00C1FER/mesh-review#2`. Source: https://github.com/M00C1FER/mesh-review/issues/2 Original author: @M00C1FER Original state: closed  --- ## Finding 1 — HIGH **File:** `src/mesh_review/summary/core.py` **Function:** `_shell_runner()` → inner `run()` closure **Commit fixing this:** 834f8d8441226ac383868a9cb8ac5c69b650581e (PR #1) ### Description The default summary prompt template contains `{diff}` and is expanded using: ```python full_prompt = prompt.format(diff=diff) ``` Any diff that contains a literal curly-brace sequence (e.g., `{HEAD}` in git conflict markers, JSON payloads, Python f-strings, shell variable expansions) causes Python's `str.format()` to raise `KeyError` or `ValueError`, crashing the summarization run for **all configured CLIs**. ### Impact - Every `mesh-review summary` run on a diff containing `{` or `}` raises an unhandled exception and exits with a traceback, producing no output. - This is the most common case in practice: JavaScript/TypeScript/Python diffs routinely contain `{}`, JSON responses, f-strings, etc. ### Fix Applied Switched to `prompt.replace("{diff}", diff)` which is a literal string substitution and does not interpret `{...}` tokens in the diff. ```python # Before full_prompt = prompt.format(diff=diff) # After full_prompt = prompt.replace("{diff}", diff) ``` ### References - `review/core.py:_shell_runner` already used `.replace()` correctly — this was an inconsistency between the two mirrors.

foravo_admin

2026-05-19 04:42:47 +00:00

closed this issue
added the
code-review
label

foravo_admin commented

2026-05-19 04:42:47 +00:00

Author

Owner

Imported from GitHub issue comment M00C1FER/mesh-review#2:4362220270.

Source: https://github.com/M00C1FER/mesh-review/issues/2#issuecomment-4362220270
Original author: @M00C1FER

Fixed by merged PR #1.

Imported from GitHub issue comment `M00C1FER/mesh-review#2:4362220270`. Source: https://github.com/M00C1FER/mesh-review/issues/2#issuecomment-4362220270 Original author: @M00C1FER  --- Fixed by merged PR #1.