#559 — Markdown body safety / eval removal: - Add test-issue-create-body-safety.sh: feeds a hostile Markdown body ($(...), backticks, quotes, $vars, pipes) through issue-create.sh and asserts no command substitution runs and the body reaches tea verbatim. - Convert issue-comment.sh from unquoted $(get_gitea_repo_args) word-splitting to an argv array with an explicit loud login-resolution error. - Confirmed: zero eval usages remain across tools/git/*.sh; the other body-carrying wrappers (issue-create, pr-create, issue-edit, issue-assign) already use argv arrays. #560 — host-derived Gitea login + loud failure: - detect-platform.sh: add print_gitea_login_diagnostic and emit it on the get_gitea_login_for_host failure path (stderr only) — names the unresolved host, lists available tea logins, and gives the GITEA_LOGIN override + tea-login-add fix. Replaces the previous silent failure. - Extend test-gitea-login-resolution.sh: assert the diagnostic fires and lists logins, login is derived from origin host for both mosaicstack and usc (scoped second tea mock), and a valid GITEA_LOGIN override is honored. Also gitignore the .mosaic-test-work/ shell-harness scratch dir. Scope: wrapper surface only. All wrapper test harnesses pass locally.
This commit is contained in:
jason.woltje
@@ -169,6 +169,43 @@ raise SystemExit(1)
|
||||
PY
|
||||
}
|
||||
|
||||
# Emit an actionable diagnostic to stderr when no tea login resolves for a host.
|
||||
# Callers that have a working API fallback may ignore the non-zero return of
|
||||
# get_gitea_login_for_host; this turns the previously SILENT failure into a loud,
|
||||
# greppable hint (available logins + override + add-login instructions). Printed to
|
||||
# stderr only, so it never contaminates stdout (the resolved login name) or log
|
||||
# assertions that capture tea/curl invocations.
|
||||
print_gitea_login_diagnostic() {
|
||||
local host="${1:-<unknown>}"
|
||||
local available
|
||||
available=$(
|
||||
command -v tea >/dev/null 2>&1 || { echo "(tea CLI not installed)"; exit 0; }
|
||||
logins_json=$(tea login list --output json 2>/dev/null) || { echo "(could not query tea login list)"; exit 0; }
|
||||
TEA_LOGINS_JSON="$logins_json" python3 - <<'PY'
|
||||
import json, os
|
||||
from urllib.parse import urlparse
|
||||
try:
|
||||
logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
|
||||
except Exception:
|
||||
logins = []
|
||||
rows = []
|
||||
for login in logins if isinstance(logins, list) else []:
|
||||
name = str(login.get("name") or login.get("Name") or "")
|
||||
url = str(login.get("url") or login.get("URL") or "")
|
||||
host = urlparse(url).hostname or "?"
|
||||
if name:
|
||||
rows.append(f"{name} (host: {host})")
|
||||
print("; ".join(rows) if rows else "(none configured)")
|
||||
PY
|
||||
)
|
||||
{
|
||||
echo "Error: no Gitea tea login matches host '$host'."
|
||||
echo " Available tea logins: ${available}"
|
||||
echo " Fix: set GITEA_LOGIN to a login whose URL host is '$host',"
|
||||
echo " or add one: tea login add --name <name> --url https://$host --token <token>"
|
||||
} >&2
|
||||
}
|
||||
|
||||
get_gitea_login_for_host() {
|
||||
local host="${1:-}"
|
||||
local login
|
||||
@@ -190,6 +227,7 @@ get_gitea_login_for_host() {
|
||||
return 0
|
||||
fi
|
||||
|
||||
print_gitea_login_diagnostic "$host"
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
@@ -53,7 +53,15 @@ if [[ "$PLATFORM" == "github" ]]; then
|
||||
gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"
|
||||
echo "Added comment to GitHub issue #$ISSUE_NUMBER"
|
||||
elif [[ "$PLATFORM" == "gitea" ]]; then
|
||||
tea issue comment "$ISSUE_NUMBER" "$COMMENT" $(get_gitea_repo_args)
|
||||
# Build the invocation as an argv array (not unquoted $(get_gitea_repo_args)
|
||||
# word-splitting) so the comment body — including Markdown backticks, $(...),
|
||||
# and quotes — is passed verbatim and never re-split or shell-evaluated.
|
||||
REPO_SLUG=$(get_repo_slug)
|
||||
GITEA_LOGIN_NAME=$(get_gitea_login) || {
|
||||
echo "Error: could not resolve a Gitea login for this repo; cannot comment on issue #$ISSUE_NUMBER." >&2
|
||||
exit 1
|
||||
}
|
||||
tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME"
|
||||
echo "Added comment to Gitea issue #$ISSUE_NUMBER"
|
||||
else
|
||||
echo "Error: Unknown platform"
|
||||
|
||||
@@ -230,4 +230,81 @@ if grep -q -- 'tea issue close 536 .*--login mosaicstack' "$LOG_FILE"; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# #560: loud diagnostic + host-derived login for BOTH instances + override-wins
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# Loud diagnostic: a host with no matching tea login must emit an actionable
|
||||
# error to stderr (the previous behavior was a SILENT failure). The original
|
||||
# mock defines only usc/evil-usc logins, so mosaicstack resolution fails here.
|
||||
git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
|
||||
diag_stderr=$(run_in_repo bash -c '
|
||||
source "'"$SCRIPT_DIR"'/detect-platform.sh"
|
||||
get_gitea_login_for_host git.mosaicstack.dev
|
||||
' 2>&1 1>/dev/null || true)
|
||||
if ! grep -q "no Gitea tea login matches host 'git.mosaicstack.dev'" <<<"$diag_stderr"; then
|
||||
echo "Expected loud diagnostic naming the unresolved host; got: $diag_stderr" >&2
|
||||
exit 1
|
||||
fi
|
||||
if ! grep -q "Available tea logins:" <<<"$diag_stderr"; then
|
||||
echo "Expected diagnostic to list available tea logins; got: $diag_stderr" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Both-instance host derivation + override-wins, using a mock that DOES define a
|
||||
# mosaicstack login. Scoped to this section so the API-fallback assertions above
|
||||
# (which rely on mosaicstack having NO tea login) remain valid.
|
||||
BIN_DIR2="$WORK_DIR/bin2"
|
||||
mkdir -p "$BIN_DIR2"
|
||||
cp "$BIN_DIR/curl" "$BIN_DIR2/curl"
|
||||
cat > "$BIN_DIR2/tea" <<'SH'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
if [[ "$*" == "login list --output json" ]]; then
|
||||
cat <<'JSON'
|
||||
[
|
||||
{"name":"mosaicstack","url":"https://git.mosaicstack.dev","user":"jason.woltje"},
|
||||
{"name":"usc","url":"https://git.uscllc.com","user":"jason.woltje"}
|
||||
]
|
||||
JSON
|
||||
exit 0
|
||||
fi
|
||||
printf 'tea %s\n' "$*" >> "$MOSAIC_TEST_LOG"
|
||||
exit 0
|
||||
SH
|
||||
chmod +x "$BIN_DIR2/tea"
|
||||
|
||||
run_in_repo2() {
|
||||
(
|
||||
cd "$REPO_DIR"
|
||||
PATH="$BIN_DIR2:$PATH" \
|
||||
MOSAIC_CREDENTIALS_FILE="$CREDENTIALS_FILE" \
|
||||
MOSAIC_TEST_LOG="$LOG_FILE" \
|
||||
"$@"
|
||||
)
|
||||
}
|
||||
|
||||
git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
|
||||
mosaic_login=$(run_in_repo2 bash -c 'source "'"$SCRIPT_DIR"'/detect-platform.sh"; get_gitea_login')
|
||||
if [[ "$mosaic_login" != "mosaicstack" ]]; then
|
||||
echo "Expected mosaicstack origin to derive login 'mosaicstack'; got '$mosaic_login'" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
|
||||
usc_login_derived=$(run_in_repo2 bash -c 'source "'"$SCRIPT_DIR"'/detect-platform.sh"; get_gitea_login')
|
||||
if [[ "$usc_login_derived" != "usc" ]]; then
|
||||
echo "Expected usc origin to derive login 'usc'; got '$usc_login_derived'" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Explicit GITEA_LOGIN override is honored when it matches the host.
|
||||
git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
|
||||
override_wins=$(run_in_repo2 bash -c 'export GITEA_LOGIN=mosaicstack; source "'"$SCRIPT_DIR"'/detect-platform.sh"; get_gitea_login')
|
||||
if [[ "$override_wins" != "mosaicstack" ]]; then
|
||||
echo "Expected valid GITEA_LOGIN override to win on mosaicstack host; got '$override_wins'" >&2
|
||||
exit 1
|
||||
fi
|
||||
git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
|
||||
|
||||
echo "Gitea login resolution regression harness passed"
|
||||
|
||||
102
packages/mosaic/framework/tools/git/test-issue-create-body-safety.sh
Executable file
102
packages/mosaic/framework/tools/git/test-issue-create-body-safety.sh
Executable file
@@ -0,0 +1,102 @@
|
||||
#!/usr/bin/env bash
|
||||
# Regression harness for issue-create.sh Markdown-body safety (#559).
|
||||
#
|
||||
# Guards against reintroduction of eval-based command construction. The wrapper
|
||||
# builds its tea/gh invocation as an argv array, so a body containing command
|
||||
# substitution ($(...)), backticks, quotes, and dollar signs MUST reach tea
|
||||
# verbatim and MUST NOT be shell-evaluated. This test asserts both:
|
||||
# 1. No command-substitution side effect (an injected `touch SENTINEL` never runs).
|
||||
# 2. The --description value tea receives is byte-for-byte the original body.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
WORK_DIR="${MOSAIC_TEST_WORK_DIR:-$PWD/.mosaic-test-work/issue-create-body-safety}"
|
||||
REPO_DIR="$WORK_DIR/repo"
|
||||
BIN_DIR="$WORK_DIR/bin"
|
||||
SENTINEL="$WORK_DIR/INJECTION_SENTINEL"
|
||||
BODY_FILE="$WORK_DIR/body.txt"
|
||||
RECEIVED_FILE="$WORK_DIR/received-description.txt"
|
||||
|
||||
rm -rf "$WORK_DIR"
|
||||
mkdir -p "$REPO_DIR" "$BIN_DIR"
|
||||
|
||||
git -C "$REPO_DIR" init -q
|
||||
git -C "$REPO_DIR" remote add origin https://git.mosaicstack.dev/mosaicstack/stack.git
|
||||
|
||||
# Hostile Markdown body. The unquoted heredoc expands $SENTINEL (a real path we
|
||||
# want embedded) but every shell metacharacter we care about is backslash-escaped
|
||||
# so the TEST shell writes them literally into the file — the bytes the wrapper
|
||||
# must then preserve.
|
||||
cat > "$BODY_FILE" <<EOF
|
||||
# Release notes
|
||||
|
||||
Inline code: \`rm -rf /\` must stay literal.
|
||||
Command sub attempt: \$(touch $SENTINEL)
|
||||
Backtick cmd attempt: \`touch $SENTINEL\`
|
||||
Dollars: \$HOME \${PATH} \$5.00 and 100% done
|
||||
Quotes: "double" and 'single' and \`mixed\`
|
||||
Trailing pipe-ish: foo | bar && baz ; qux
|
||||
EOF
|
||||
|
||||
BODY="$(cat "$BODY_FILE")"
|
||||
|
||||
# Mock tea: resolve a mosaicstack login, then capture the --description verbatim.
|
||||
cat > "$BIN_DIR/tea" <<'SH'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
if [[ "$*" == "login list --output json" ]]; then
|
||||
cat <<'JSON'
|
||||
[
|
||||
{"name":"mosaicstack","url":"https://git.mosaicstack.dev","user":"jason.woltje"}
|
||||
]
|
||||
JSON
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ "${1:-}" == "issue" && "${2:-}" == "create" ]]; then
|
||||
desc=""
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--description) desc="$2"; shift 2 ;;
|
||||
*) shift ;;
|
||||
esac
|
||||
done
|
||||
printf '%s' "$desc" > "$MOSAIC_TEST_RECEIVED"
|
||||
echo "#1 created"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
exit 0
|
||||
SH
|
||||
chmod +x "$BIN_DIR/tea"
|
||||
|
||||
(
|
||||
cd "$REPO_DIR"
|
||||
PATH="$BIN_DIR:$PATH" \
|
||||
MOSAIC_TEST_RECEIVED="$RECEIVED_FILE" \
|
||||
"$SCRIPT_DIR/issue-create.sh" -t "Body safety test" -b "$BODY"
|
||||
) >/dev/null
|
||||
|
||||
# 1. No command substitution executed anywhere in the pipeline.
|
||||
if [[ -e "$SENTINEL" ]]; then
|
||||
echo "FAIL: injected command substitution executed (sentinel file created): $SENTINEL" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. tea actually received the body (issue create path taken, not silently dropped).
|
||||
if [[ ! -f "$RECEIVED_FILE" ]]; then
|
||||
echo "FAIL: tea issue create was never invoked with a --description" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 3. The description tea received is byte-for-byte the original body.
|
||||
if [[ "$(cat "$RECEIVED_FILE")" != "$BODY" ]]; then
|
||||
echo "FAIL: body was not preserved verbatim through issue-create.sh" >&2
|
||||
echo "--- expected ---" >&2; printf '%s\n' "$BODY" >&2
|
||||
echo "--- received ---" >&2; cat "$RECEIVED_FILE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "issue-create.sh Markdown body-safety regression harness passed"
|
||||
Reference in New Issue
Block a user