Skip to content

[WIP] Fix unawaited promise in boolean logic#16

Draft
Copilot wants to merge 1 commit intomainfrom
copilot/fix-unawaited-promise-logic
Draft

[WIP] Fix unawaited promise in boolean logic#16
Copilot wants to merge 1 commit intomainfrom
copilot/fix-unawaited-promise-logic

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 6, 2026

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

This section details on the original issue you should resolve

<issue_title>[Query Create]: Typescript boolean logic on an unawaited promise</issue_title>
<issue_description>### Target Language

actions

Query Name (Optional)

NoMisusedPromises

Query Type

Security

Query Description

This rule forbids providing Promises to logical locations such as if statements in places where the TypeScript compiler allows them but they are not handled properly. These situations can often arise due to a missing await keyword or just a misunderstanding of the way async functions are handled/awaited.

Finds an code that returns a Promise

export const validatePassword = (password: string, bcryptPassword: string): Promise<boolean> =>
    bcrypt.compare(getPassword(password), bcryptPassword);

However, when that function was used, the value of the Promise was not settled (e.g. by adding an await keyword in front of validatePassword):

const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);

if (!valid) {
    return false;
}

This led to the result of validatePassword being ANDed with true. Since a returned Promise is always “truthy” speaking in JavaScript terms, the boolean valid subsequently was always true when a user had a bcrypt password set.

Expected Severity

Critical

Code Examples

export const validatePassword = (password: string, bcryptPassword: string): Promise<boolean> =>
    bcrypt.compare(getPassword(password), bcryptPassword);

const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);

if (!valid) {
    return false;
}

CWE/CVE Reference (Optional)

CWE-287

References (Optional)

https://typescript-eslint.io/rules/no-misused-promises/ https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/#h-signing GHSA-w6vw-mrgv-69vf

Code of Conduct

  • I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot stopped work on behalf of felickz due to an error March 6, 2026 23:49
Copilot had to stop work due to a timeout.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@felickz felickz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Query Create]: Typescript boolean logic on an unawaited promise

2 participants

@felickz