Eop card browser/m1 data scaffolding#3122
Open
ayman-art wants to merge 26 commits into
Open
Conversation
… eop cards in source/eop-mappings-5.0.yaml .
Contributor
❌ 1 blocking issue (1 total)
|
![qltysh[bot]](https://avatars.githubusercontent.com/in/890766?s=60&v=4){kind=small}
…_cards.py Co-authored-by: qltysh[bot] <168846912+qltysh[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds initial data scaffolding needed to support browsing the Elevation of Privilege (EoP) 5.0 deck in the Cornucopia site, and introduces a Python utility to generate the per-card content folder structure from source/*-cards-*.yaml.
Changes:
- Populated
source/eop-mappings-5.0.yamlwith per-card metadata for all EoP suits/cards (IDs, URLs, STRIDE fields). - Added
scripts/scaffold_cards.pyto scaffoldcornucopia.owasp.org/data/cards/<edition>-cards-<version>-<lang>/...from a source cards YAML. - Added scaffolded per-card Markdown placeholders under
cornucopia.owasp.org/data/cards/eop-cards-5.0-en/(explanation + technical note).
Reviewed changes
Copilot reviewed 80 out of 158 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| source/eop-mappings-5.0.yaml | Adds full per-card mapping entries for the EoP 5.0 deck (IDs/URLs/stride metadata). |
| scripts/scaffold_cards.py | Introduces a generator script to create the expected card folder/file layout from source/*cards*.yaml. |
| cornucopia.owasp.org/data/cards/eop-cards-5.0-en/** | Adds scaffolded EoP card content folders (templates for explanation/technical notes). |
sydseter
requested changes
Jun 18, 2026
sydseter
left a comment
sydseter
left a comment
Collaborator
There was a problem hiding this comment.
Please have a look at the Copilot comments.
rewtd
requested changes
Jun 27, 2026
Collaborator
There was a problem hiding this comment.
Summary
- Security │ Blocking - path traversal not yet fixed
- Code quality │ Minor issues (error handling, broad exception)
- Process │ Outstanding review comments not addressed
The scaffolding approach is sensible, but this PR will not be merged until the path traversal issue is fixed and comments addressed.
…ric handling in scaffold_cards.py script, and added unit tests
….com/OWASP/cornucopia into eop-card-browser/m1-data-scaffolding
sydseter
requested changes
Jun 29, 2026
| import shutil | ||
| from pathlib import Path | ||
| from unittest.mock import patch | ||
| import yaml as _yaml |
Contributor
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Collaborator
|
@ayman-art please look at the remaining comments |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Collaborator
|
@ayman-art getting close now. |
Collaborator
Author
|
@sydseter, Thank you, I extracted validation logic into separate methods to reduce the complexity, let me know if there is remaining work. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
scripts/scaffold_cards.py) to automate card folders generation, making it easy to onboard future editions and games.Changes
Data scaffolding —
cornucopia.owasp.org/data/cards/eop-cards-5.0-en/spoofing,tampering,repudiation,information-disclosure,denial-of-service,elevation-of-privilegeexplanation.md— pre-filled with a Scenario/Threat Modeling templatetechnical-note.md— intentionally empty, to be filled latersource/eop-mappings-5.0.yamlid,value,url,stride,stride_printstrideandstride_printmap to the first letter and full name of the suit respectively (e.g.S/Spoofing)scripts/scaffold_cards.pycornucopia.owasp.org/data/cards/by parsing card data files undersource/cornucopia.owasp.org/data/cards/)meta.edition,meta.version,meta.language,suit.name,card.id) are validated against allowlist regexes viasafe_component(), and resolved paths are verified to stay withinROOTmeta,meta.edition,meta.version,meta.language,suits,suit.name,suit.cards,card.id) to produce clearValueErrormessages instead of crypticKeyErrorstests/scripts/scaffold_cards_utest.pytests/test_files/source/scaffold-cards-1.0-en.yamlScreenshots
output files
unit test run output
Resolved or fixed issue: none (partial progress on #1322)
AI Tool Disclosure
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.][Summarize the key prompts or instructions given to the AI tools]Affirmation