Skip to content

fix: support safe file input for IM message bodies#1892

Open
SiyiZhu1 wants to merge 1 commit into
larksuite:mainfrom
SiyiZhu1:agent/im-message-file-input
Open

fix: support safe file input for IM message bodies#1892
SiyiZhu1 wants to merge 1 commit into
larksuite:mainfrom
SiyiZhu1:agent/im-message-file-input

Conversation

@SiyiZhu1

@SiyiZhu1 SiyiZhu1 commented Jul 14, 2026

Copy link
Copy Markdown

What changed

  • allow im +messages-send and im +messages-reply body flags (--text, --markdown, and --content) to read from a cwd-relative @file or stdin (-)
  • document the safe input forms for long and generated messages
  • add unit coverage for the input contract and a dry-run regression test containing shell metacharacters and Chinese text

Why

Long or agent-generated message bodies are currently passed only as inline command-line strings. Markdown code fences, $() expressions, dollar signs, quotes, and backticks can therefore be interpreted by the caller's shell before lark-cli receives them, producing corrupted or incomplete Feishu messages.

The shortcut framework already has validated @file and stdin input resolution. The IM send/reply body flags simply did not opt into it.

User impact

Agents and scripts can safely send exact long-form content without shell interpolation:

lark-cli im +messages-send --chat-id oc_xxx --markdown @./message.md
generate-message | lark-cli im +messages-send --chat-id oc_xxx --markdown -

Validation

  • git diff --check
  • added shortcut contract coverage
  • added a dry-run E2E regression test that preserves code fences, $HOME, $(), and Chinese content
  • local Go execution was unavailable in the authoring environment; CI is expected to run the repository's Go checks

Summary by CodeRabbit

  • New Features

    • Message send and reply commands now accept message content from files or standard input using --content, --text, and --markdown.
    • Added guidance for sending long or generated Markdown messages through files or pipelines.
  • Bug Fixes

    • Markdown content preserves shell-like syntax and special characters without unintended interpretation.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


ZSY seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

IM message send and reply flags now explicitly accept file and stdin inputs. Documentation adds Markdown file and pipeline examples, and an end-to-end dry-run test verifies that shell-like Markdown content remains unchanged.

Changes

IM message input support

Layer / File(s) Summary
Flag input declarations and metadata tests
shortcuts/im/im_messages_send.go, shortcuts/im/im_messages_reply.go, shortcuts/im/helpers_test.go
The --content, --text, and --markdown flags accept common.File and common.Stdin for both shortcuts, with tests covering the declarations.
Markdown usage documentation and dry-run validation
skills/lark-im/references/lark-im-messages-*.md, tests/cli_e2e/im/message_markdown_input_dryrun_test.go
Documentation adds file and stdin examples, while an end-to-end dry run verifies that shell syntax and Chinese text are preserved.
Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: feature

Suggested reviewers: 91-enjoy, sammi-bytedance, liangshuo-1, chenxingtong-bytedance

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: safer IM message body input via file or stdin.
Description check ✅ Passed The description covers summary, motivation, changes, user impact, and validation, so it is mostly complete despite different headings.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added domain/im PR touches the im domain size/M Single-domain feat or fix with limited business impact labels Jul 14, 2026
@SiyiZhu1 SiyiZhu1 marked this pull request as ready for review July 15, 2026 05:39

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/cli_e2e/im/message_markdown_input_dryrun_test.go`:
- Line 44: Update the content extraction in the dry-run test to read the request
preview from the `data.api` envelope by using `clie2e.DryRunGet(result.Stdout,
"api.0.body.content")` instead of querying `data.request.body.content` directly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6256cda2-0472-4345-af4f-96fb73224aa5

📥 Commits

Reviewing files that changed from the base of the PR and between 8acd55e and 0cd6b4f.

📒 Files selected for processing (6)
  • shortcuts/im/helpers_test.go
  • shortcuts/im/im_messages_reply.go
  • shortcuts/im/im_messages_send.go
  • skills/lark-im/references/lark-im-messages-reply.md
  • skills/lark-im/references/lark-im-messages-send.md
  • tests/cli_e2e/im/message_markdown_input_dryrun_test.go

require.NoError(t, err)
result.AssertExitCode(t, 0)

content := gjson.Get(result.Stdout, "data.request.body.content").String()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find existing dry-run gjson.Get calls to confirm the expected path structure.
rg -n 'gjson\.Get.*body' tests/cli_e2e/ -C 1

Repository: larksuite/cli

Length of output: 8574


🏁 Script executed:

#!/bin/bash
sed -n '1,140p' tests/cli_e2e/im/message_markdown_input_dryrun_test.go
printf '\n---\n'
rg -n 'DryRunData|request\.body|data\.request|body\.content|projection\.body|api\.[0-9]+\.body' tests/cli_e2e -S

Repository: larksuite/cli

Length of output: 31785


🏁 Script executed:

#!/bin/bash
rg -n '"data\.request\.body\.content"|data\.request\.body|request\.body\.content|DryRunGet\(|DryRunData\(' . -S

Repository: larksuite/cli

Length of output: 50369


🏁 Script executed:

#!/bin/bash
sed -n '1,140p' tests/cli_e2e/core.go
printf '\n---\n'
rg -n 'dry[- ]run|request\.body|body\.content|gjson|Stdout|DryRun' im tests/cli_e2e/im -S

Repository: larksuite/cli

Length of output: 24933


🏁 Script executed:

#!/bin/bash
rg -n 'messages-send|--markdown|request\.body\.content|dry[- ]run.*request|request\.body' . -S --glob '!tests/cli_e2e/im/message_markdown_input_dryrun_test.go'

Repository: larksuite/cli

Length of output: 46524


🏁 Script executed:

#!/bin/bash
sed -n '1,180p' shortcuts/im/im_messages_send.go
printf '\n---\n'
sed -n '900,1045p' shortcuts/im/helpers.go
printf '\n---\n'
sed -n '240,340p' internal/cmdutil/dryrun.go

Repository: larksuite/cli

Length of output: 15184


🏁 Script executed:

#!/bin/bash
rg -n 'type DryRunAPI|func \(.*DryRunAPI.*Format|func NewDryRunAPI|type dryRun|WriteSuccessEnvelope|SuccessEnvelope' internal shortcuts -S

Repository: larksuite/cli

Length of output: 4623


🏁 Script executed:

#!/bin/bash
sed -n '1,240p' internal/cmdutil/dryrun.go
printf '\n---\n'
sed -n '1,120p' shortcuts/apps/dryrun_test.go
printf '\n---\n'
sed -n '1,220p' internal/output/envelope_success.go

Repository: larksuite/cli

Length of output: 8992


Read the body from data.api.0.body.content. The dry-run envelope stores request previews under data.api[...], so data.request.body.content is empty here. Use clie2e.DryRunGet(result.Stdout, "api.0.body.content") instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/cli_e2e/im/message_markdown_input_dryrun_test.go` at line 44, Update
the content extraction in the dry-run test to read the request preview from the
`data.api` envelope by using `clie2e.DryRunGet(result.Stdout,
"api.0.body.content")` instead of querying `data.request.body.content` directly.

@github-actions

Copy link
Copy Markdown

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@0cd6b4f4a5a67ec401875141c90693aeb476e8d5

🧩 Skill update

npx skills add SiyiZhu1/cli#agent/im-message-file-input -y -g

@github-actions

Copy link
Copy Markdown

PR Quality Summary

CI did not complete successfully. Use the failed check links below to decide whether this PR needs a code change or a rerun.

Failed checks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

domain/im PR touches the im domain size/M Single-domain feat or fix with limited business impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants