fix: make parser.import handle invalid inputs

snyk · Dec 14, 2016 · f37f862 · f37f862
1 parent 8a23950
commit f37f862
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 2 deletions.
diff --git a/lib/parser/add-comments.js b/lib/parser/add-comments.js
@@ -0,0 +1,28 @@
+module.exports = addPolicyComments;
+
+var initialComment = 'Snyk (https://snyk.io) policy file, patches or ignores ' +
+                     'known vulnerabilities.';
+var inlineComments = {
+  ignore: 'ignores vulnerabilities until expiry date; change duration by ' +
+          'modifying expiry date',
+  patch: 'patches apply the minimum changes required to fix a vulnerability',
+};
+
+function addComment(source, comment, position) {
+  return source.substr(0, position) + '# ' + comment + '\n' +
+         source.substr(position);
+}
+
+function addPolicyComments(policyExport) {
+  policyExport = addComment(policyExport, initialComment, 0);
+
+  Object.keys(inlineComments).forEach(function (key) {
+    var comment = inlineComments[key];
+    var position = policyExport.indexOf('\n' + key + ':\n');
+    if (position !== -1) {
+      policyExport = addComment(policyExport, comment, position + 1);
+    }
+  });
+
+  return policyExport;
+}
diff --git a/lib/parser/index.js b/lib/parser/index.js
@@ -2,6 +2,7 @@ var path = require('path');
 var cloneDeep = require('lodash.clonedeep');
 var semver = require('semver');
 var yaml = require('js-yaml');
+var addComments = require('./add-comments');
 
 module.exports = {
   import: imports,
@@ -17,7 +18,7 @@ var parsers = {
 function imports(rawYaml) {
   var data = yaml.safeLoad(rawYaml || '');
 
-  if (!data) {
+  if (!data || typeof data !== 'object') {
     data = {};
   }
 
@@ -59,7 +60,8 @@ function exports(policy) {
 
   // ensure we always update the version of the policy format
   data.version = version();
-  return yaml.safeDump(data);
+  // put inline comments into the exported yaml file
+  return addComments(yaml.safeDump(data));
 }
 
 function version() {

diff --git a/test/fixtures/ignore/.snyk b/test/fixtures/ignore/.snyk
@@ -1,3 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
   'npm:hawk:20160119':
     - sqlite > sqlite3 > node-pre-gyp > request > hawk:

diff --git a/test/unit/parser.test.js b/test/unit/parser.test.js
@@ -15,6 +15,18 @@ test('parser fills out defaults', function (t) {
   t.end();
 });
 
+test('parser fills out defaults for invalid inputs', function (t) {
+  var res = parser.import('test');
+  var expect = {
+    version: 'v1.0.0',
+    ignore: {},
+    patch: {},
+  };
+
+  t.deepEqual(res, expect, 'parser fills defaults for invalid inputs');
+  t.end();
+});
+
 test('parser does not modify default parsed format', function (t) {
   var expect = {
     version: 'v1.0.0',

diff --git a/test/unit/policy-save.test.js b/test/unit/policy-save.test.js
@@ -32,5 +32,7 @@ test('policy.save', function (t) {
       t.equal(writeSpy.args[0][0], filename, 'filename correct');
       var parsed = writeSpy.args[0][1].trim();
       t.equal(parsed, asText, 'body contains original');
+      t.match(parsed, '# Snyk (https://snyk.io) policy file, patches or ' +
+              'ignores known vulnerabilities.', 'body contains comments');
     });
 });