Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lint: add errors about duplicated extra-files and checksums & when extra-file paths contains '..' #5561

Merged
merged 10 commits into from
Sep 3, 2024
Merged

lint: add errors about duplicated extra-files and checksums & when extra-file paths contains '..' #5561

merged 10 commits into from
Sep 3, 2024

Conversation

rjbou
Copy link
Collaborator

@rjbou rjbou commented May 26, 2023
edited
Loading

New lints:

  • E70 Field 'extra-files' contains duplicated files
  • E71 Field 'url.checksum' contains duplicated checksums
  • E72 Field 'extra-sources.checksum' contains duplicated checksums
  • E73 Field 'extra-files' contains path with '..' (it can be removed by opamfile: parse error on escapable paths #5562)

Update:

  • W37 Missing field 'dev-repo': update test

More testcases:

  • E59 url doesn't contain a checksum
  • E65 URLs must be absolute

/cc @hannesm @reynir

@rjbou rjbou added the PR: QUEUED Pending pull request, waiting for other work to be merged or closed label May 26, 2023
This was referenced May 26, 2023
Draft
Draft
Merged
@rjbou rjbou removed the PR: QUEUED Pending pull request, waiting for other work to be merged or closed label Aug 29, 2023
@rjbou rjbou requested a review from kit-ty-kate August 29, 2023 17:28
@rjbou
Copy link
Collaborator Author

rjbou commented Aug 29, 2023

Rebased! /cc @hannesm @reynir

@rjbou rjbou added this to the 2.2.0~alpha3 milestone Aug 29, 2023
rjbou
rjbou commented Aug 31, 2023
View reviewed changes
src/core/opamFilename.ml Outdated Show resolved Hide resolved
rjbou
rjbou commented Aug 31, 2023
View reviewed changes
src/core/opamFilename.mli Outdated Show resolved Hide resolved
@kit-ty-kate kit-ty-kate removed this from the 2.2.0~alpha3 milestone Sep 2, 2023
AltGr
AltGr approved these changes Sep 7, 2023
View reviewed changes
Copy link
Member

@AltGr AltGr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detection of .. in paths needs foolproofing, but otherwise good :)

src/core/opamFilename.ml Outdated Show resolved Hide resolved
hannesm
hannesm reviewed Nov 7, 2023
View reviewed changes
src/core/opamFilename.ml Outdated
@@ -9,6 +9,10 @@
(* *)
(**************************************************************************)

let might_escape path =
List.exists (String.equal Filename.parent_dir_name)
Re.(split (compile (str Filename.dir_sep)) path)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I always struggle to understand Re (and regular expressions in general) -- I understand that Filename.dir_sep is returning a string, and String.split_on_char expects a character to split on.

But since all known values of Filename.dir_sep are a single-character string, I'd go down that path.

(of course, this is just a minor thing, and please ignore if you're happy with regular expressions).

@hannesm
Copy link
Member

hannesm commented Nov 7, 2023

to me this looks great, thanks for your work on it; and your patience.

@rjbou rjbou requested a review from kit-ty-kate May 3, 2024 08:46
@kit-ty-kate kit-ty-kate removed their request for review May 9, 2024 13:24
@rjbou rjbou added this to the 2.3 milestone Jun 27, 2024
kit-ty-kate
kit-ty-kate reviewed Jul 9, 2024
View reviewed changes
src/core/opamFilename.ml Outdated
let sep =
match sep with
| `Unix -> "/"
| `Windows -> "\\"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we sure all the / in the given path have been replaced by \ at this point? If both are present then we should check for both on Windows given they are both valid path separators

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates windows with `/|' search

@rjbou rjbou marked this pull request as draft July 10, 2024 13:56
@rjbou rjbou marked this pull request as ready for review August 14, 2024 18:08
@rjbou
Copy link
Collaborator Author

rjbou commented Aug 14, 2024
edited
Loading

Should I split the PR ? it is quite big and there is several purposes (fix, new lint, update)

@rjbou rjbou requested a review from kit-ty-kate August 14, 2024 18:12
kit-ty-kate
kit-ty-kate reviewed Aug 15, 2024
View reviewed changes
Copy link
Member

@kit-ty-kate kit-ty-kate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I split the PR ? it is quite big and there is several purposes (fix, new lint, update)

No i think it's fine. Although the PR title is not very descriptive and is a bit confusing.
What about:

lint: add errors about duplicated extra-files and checksums & when extra-file paths might point to a parent directory

master_changes.md Outdated Show resolved Hide resolved
master_changes.md Outdated Show resolved Hide resolved
master_changes.md Outdated Show resolved Hide resolved
tests/reftests/lint.test Outdated Show resolved Hide resolved
master_changes.md Outdated Show resolved Hide resolved
master_changes.md Outdated Show resolved Hide resolved
src/state/opamFileTools.ml Show resolved Hide resolved
@rjbou
Copy link
Collaborator Author

rjbou commented Aug 20, 2024
edited
Loading

lint: add errors about duplicated extra-files and checksums & when extra-file paths might point to a parent directory

To good PR titles would be:
Lint: add some test cases, add lint errors aboud duplicated extra-files, checksum in url and extra-source, when extra-files paths might point to a parent directory, and update W59 to check if a checksum is present even if --check-upstream is not given
🙃
that's why i was considering to split ^^

@kit-ty-kate
Copy link
Member

To good PR titles would be:
Lint: add some test cases, add lint errors aboud duplicated extra-files, checksum in url and extra-source, when extra-files paths might point to a parent directory, and update W59 to check if a checksum is present even if --check-upstream is not given

Adding test cases is a normal part of every PR so i don't think it should be part of the title. My contraction of checksums is in my opinion a compact way of talking about url and extra-source without mentioning them, and the update to W59 is pretty minor and i don't think it's worth mentioning in the title.

@rjbou rjbou force-pushed the lint-security branch 3 times, most recently from e48ae8a to c5cca86 Compare August 26, 2024 15:33
kit-ty-kate
kit-ty-kate reviewed Sep 2, 2024
View reviewed changes
Copy link
Member

@kit-ty-kate kit-ty-kate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aside from those minor typos and the remaining question about what the title of the PR should be (we can chat quickly about it at the weekly meeting), lgtm

master_changes.md Show resolved Hide resolved
master_changes.md Show resolved Hide resolved
master_changes.md Outdated Show resolved Hide resolved
@rjbou
reftest: add an additional test case for W37, opam file with and with…
d6c2d8e 
…out url section

It highlights that when no url is present, W37 is not triggered
@rjbou
reftest: lint, update E65 to test other urls scheme
036776c
@rjbou
lint: add E70 for extra-files duplication
fcd6f52
@rjbou
hash: export compare kind
5a8b1be
@rjbou
lint: add E71 for checking if the same checksum algorithm is used sev…
35cd148 
…eral times for a given url in url section
@rjbou
lint: add E72 for checking if the same checksum algorithm is used sev…
ab348e2 
…eral times for a given url in extra-sources section
@rjbou
filename: add might_escape function
17f2447
@rjbou
lint: add E73 for relative path on extra-files
b785fc4
@rjbou
reftest: add more test cases for W59
dac75eb 
* Shows the difference of behaviour between 'opam lint' and 'opam lint --check-upstream'
* Add test cases for special cases: conf flag, url containing git url
@rjbou
lint: update W59 (no checksum on url) to always display a warning, no…
0e4b791 
… more tied to --check-upstream option
@rjbou rjbou changed the title lint: add some lint & fix for url checks lint: add errors about duplicated extra-files and checksums & when extra-file paths contains '..' Sep 3, 2024
@kit-ty-kate kit-ty-kate merged commit 4a3c545 into ocaml:master Sep 3, 2024
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hannesm hannesm hannesm left review comments

@kit-ty-kate kit-ty-kate kit-ty-kate approved these changes

@AltGr AltGr AltGr approved these changes

Assignees
No one assigned
Labels
STATE: READY TO MERGE
Projects
None yet
Milestone
2.3.0~alpha1
Development

Successfully merging this pull request may close these issues.
4 participants
@rjbou @hannesm @kit-ty-kate @AltGr