fix(node): reject malformed path globs in visibility validation (#74)#75
Conversation
…ment wildcards (#74) validate_path_glob checked `ends_with("/**")` without first stripping it, so any glob that still ended in `/**` slipped past the wildcard guard even when it held a `*` elsewhere in the prefix (e.g. `/a*b/**`, `/a/**/**`). The prefix is fed to glob_prefix/glob_matches as a literal, so such a rule matched no real path and silently granted nobody, the exact silent-misconfiguration this validator exists to prevent. Strip the one permitted trailing `/**` first, then reject any remaining `*`. While here, close a related hole in the same validator: `glob_prefix` greedily trims all trailing `**` and `/`, so `//**` collapsed to `/` (whole repo) and bypassed the explicit `/**` guard, and `//secret/**` became a dead rule whose prefix never matches a real single-slash path. Reject empty path segments so the validator and glob_prefix agree on the canonical form. Adds `/a*b/**`, `/a/**/**`, `/**/**`, `//**`, `//secret/**` to the rejection test.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
ChangesPath Glob Validation Hardening
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
validate_path_globaccepted malformed visibility globs that silently misconfigure access. It now rejects a wildcard anywhere but the single trailing/**, and rejects empty path segments.Motivation & context
Closes #74
The wildcard guard checked
path_glob.ends_with("/**")without first stripping it, so any glob that still ended in/**slipped through even with a*earlier in the prefix (e.g./a*b/**,/a/**/**).glob_prefix/glob_matchestreat that prefix as a literal, so the rule matched no real path and granted nobody, the exact silent misconfiguration this validator exists to prevent.Reviewing the fix surfaced a second hole in the same function:
glob_prefixgreedily trims all trailing**and/, so//**collapsed to/(whole repo) and bypassed the explicit/**guard, and//secret/**became a dead rule whose prefix never matches a real single-slash path. Both are fail-closed and owner-only (only the repo owner can set rules, and a bad rule grants nobody), so this is hardening, not a live exploit, but the//**case is a one-character bypass of the whole-repo guard and worth closing alongside.Kind of change
What changed
Crate:
gitlawb-node/**before checking for stray*, so a non-trailing wildcard is rejected instead of slipping through.//(empty path segments), keeping the validator andglob_prefixagreed on the canonical form and closing the//**whole-repo bypass./a*b/**,/a/**/**,/**/**,//**,//secret/**to therejects_malformed_globstest.How a reviewer can verify
cargo test -p gitlawb-node globBoth
accepts_supported_globs(/,/secret,/secret/**,/a/b/c,/a/b/**still pass) andrejects_malformed_globs(the five added cases now rejected) cover the change.Before you request review
cargo test --workspacepasses locallycargo fmt --allandcargo clippy --workspace --all-targets -- -D warningsare cleanfeat(...),fix(...),docs(...)).env.exampleupdated if behavior or config changed (or N/A)Notes for reviewers
remove_visibilitystill does not runvalidate_path_glob, but deleting a never-matching rule is a no-op, so that asymmetry is harmless and left out of scope.Summary by CodeRabbit