refactor: safely parse Pipfile.lock (#20825)

renovatebot · Mar 12, 2023 · 1567386 · 1567386
1 parent cbbeecb
commit 1567386
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 14 deletions.
diff --git a/lib/modules/manager/pipenv/artifacts.ts b/lib/modules/manager/pipenv/artifacts.ts
@@ -15,11 +15,12 @@ import type {
   UpdateArtifactsConfig,
   UpdateArtifactsResult,
 } from '../types';
+import { PipfileLockSchema } from './schema';
 
 function getPythonConstraint(
   existingLockFileContent: string,
   config: UpdateArtifactsConfig
-): string | undefined | null {
+): string | undefined {
   const { constraints = {} } = config;
   const { python } = constraints;
 
@@ -28,14 +29,20 @@ function getPythonConstraint(
     return python;
   }
   try {
-    const pipfileLock = JSON.parse(existingLockFileContent);
-    if (pipfileLock?._meta?.requires?.python_version) {
-      const pythonVersion: string = pipfileLock._meta.requires.python_version;
+    const result = PipfileLockSchema.safeParse(
+      JSON.parse(existingLockFileContent)
+    );
+    // istanbul ignore if: not easily testable
+    if (!result.success) {
+      logger.warn({ error: result.error }, 'Invalid Pipfile.lock');
+      return undefined;
+    }
+    if (result.data._meta?.requires?.python_version) {
+      const pythonVersion = result.data._meta.requires.python_version;
       return `== ${pythonVersion}.*`;
     }
-    if (pipfileLock?._meta?.requires?.python_full_version) {
-      const pythonFullVersion: string =
-        pipfileLock._meta.requires.python_full_version;
+    if (result.data._meta?.requires?.python_full_version) {
+      const pythonFullVersion = result.data._meta.requires.python_full_version;
       return `== ${pythonFullVersion}`;
     }
   } catch (err) {
@@ -56,14 +63,19 @@ function getPipenvConstraint(
     return pipenv;
   }
   try {
-    const pipfileLock = JSON.parse(existingLockFileContent);
-    if (pipfileLock?.default?.pipenv?.version) {
-      const pipenvVersion: string = pipfileLock.default.pipenv.version;
-      return pipenvVersion;
+    const result = PipfileLockSchema.safeParse(
+      JSON.parse(existingLockFileContent)
+    );
+    // istanbul ignore if: not easily testable
+    if (!result.success) {
+      logger.warn({ error: result.error }, 'Invalid Pipfile.lock');
+      return '';
+    }
+    if (result.data.default?.pipenv?.version) {
+      return result.data.default.pipenv.version;
     }
-    if (pipfileLock?.develop?.pipenv?.version) {
-      const pipenvVersion: string = pipfileLock.develop.pipenv.version;
-      return pipenvVersion;
+    if (result.data.develop?.pipenv?.version) {
+      return result.data.develop.pipenv.version;
     }
   } catch (err) {
     // Do nothing

diff --git a/lib/modules/manager/pipenv/schema.ts b/lib/modules/manager/pipenv/schema.ts
@@ -0,0 +1,24 @@
+import { z } from 'zod';
+
+const PipfileLockEntrySchema = z
+  .record(
+    z.string(),
+    z.object({
+      version: z.string().optional(),
+    })
+  )
+  .optional();
+export const PipfileLockSchema = z.object({
+  _meta: z
+    .object({
+      requires: z
+        .object({
+          python_version: z.string().optional(),
+          python_full_version: z.string().optional(),
+        })
+        .optional(),
+    })
+    .optional(),
+  default: PipfileLockEntrySchema,
+  develop: PipfileLockEntrySchema,
+});