Skip to content

PR #7: Fix Critical Bugs in Argument Matching #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 21, 2025
Merged

PR #7: Fix Critical Bugs in Argument Matching #390

merged 1 commit into from
Nov 21, 2025

Conversation

@shivasurya
Copy link
Owner

@shivasurya shivasurya commented Nov 21, 2025

This fixes three critical bugs discovered during validation testing. The first fix prevents wildcard pattern flags from incorrectly propagating to argument constraints. The second ensures argument validation is actually performed during scans. The third changes tuple extraction to properly distinguish between error conditions and valid empty string values using Go idioms. These fixes are essential for correct operation of the argument matching features.

@shivasurya shivasurya added bug Something isn't working go Pull requests that update go code python labels Nov 21, 2025
@shivasurya shivasurya self-assigned this Nov 21, 2025
@shivasurya shivasurya added bug Something isn't working go Pull requests that update go code python labels Nov 21, 2025
@safedep
Copy link

safedep bot commented Nov 21, 2025
edited
Loading

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

This report is generated by SafeDep Github App

@codecov
Copy link

codecov bot commented Nov 21, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.91%. Comparing base (392e963) to head (06e2b69).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #390   +/-   ##
=======================================
  Coverage   78.90%   78.91%           
=======================================
  Files          70       70           
  Lines        7117     7123    +6     
=======================================
+ Hits         5616     5621    +5     
- Misses       1262     1263    +1     
  Partials      239      239

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

This was referenced Nov 21, 2025
Merged
Merged
Merged
Merged
Merged
@shivasurya Graphite App
Copy link
Owner Author

shivasurya commented Nov 21, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@shivasurya shivasurya mentioned this pull request Nov 21, 2025
Merged
@shivasurya Graphite App
Copy link
Owner Author

shivasurya commented Nov 21, 2025
edited
Loading

Merge activity

  • Nov 21, 1:29 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Nov 21, 1:40 AM UTC: Graphite rebased this pull request as part of a merge.
  • Nov 21, 1:41 AM UTC: @shivasurya merged this pull request with Graphite.

@shivasurya shivasurya changed the base branch from shiva/pr-06-tuple-indexing to graphite-base/390 November 21, 2025 01:38
@shivasurya shivasurya changed the base branch from graphite-base/390 to main November 21, 2025 01:39
@shivasurya
fix(dsl): Fix three critical bugs in argument matching
06e2b69 
Found during PR #6 validation. These bugs prevented argument constraints
from working correctly in production.

## Bug #1: Python DSL - Argument wildcard inheritance
File: python-dsl/codepathfinder/matchers.py:81

The _make_constraint() method was inheriting the pattern wildcard flag,
causing all argument constraints to use wildcard matching when the
pattern itself had wildcards.

Example:
  calls("*.bind", match_position={"0[0]": "0.0.0.0"})

  Before: Would match ALL .bind() calls (wrong!)
  After: Only matches .bind(("0.0.0.0", ...)) (correct)

## Bug #2: Go Executor - Missing argument validation
File: sourcecode-parser/dsl/call_matcher.go:155-162

The getMatchedPattern() method only checked function name patterns,
completely ignoring argument constraints. Since the scan command uses
ExecuteWithContext() which calls getMatchedPattern(), all argument
checking was bypassed in production!

Impact: ALL argument constraints were ignored during scans.

## Bug #3: Tuple extraction - Empty string ambiguity
File: sourcecode-parser/dsl/call_matcher.go:318-350

The extractTupleElement() function returned "" for both "index out of
bounds" and "extracted value is empty string", making them indistinguishable.

Example:
  s.bind(("", 8080))  # Empty string is valid!

  Before: Treated as "out of bounds" error (wrong!)
  After: Returns ("", true) indicating success (correct)

Changed signature to return (string, bool) to distinguish error from
valid empty string.

## Validation Results

Test rule: avoid_bind_to_all_interfaces
Before: 6/6 matches (100% false positives)
After: 3/6 matches (100% accurate)

## Test Changes

- Updated extractTupleElement tests for new (string, bool) signature
- Added test case for tuple with empty string element
- All existing tests pass

🤖 Generated with Claude Code
@shivasurya shivasurya force-pushed the shiva/pr-07-critical-bug-fixes branch from 2d05862 to 06e2b69 Compare November 21, 2025 01:40
@shivasurya shivasurya merged commit 8f2eb7b into main Nov 21, 2025
3 checks passed
@shivasurya shivasurya deleted the shiva/pr-07-critical-bug-fixes branch November 21, 2025 01:41
shivasurya added a commit that referenced this pull request Nov 28, 2025
@shivasurya @claude
chore(python-dsl): Bump version to 1.1.0
ceeac3e 
Release v1.1.0 includes enhanced argument matching capabilities:

- Add positional argument matching (match_position parameter)
- Add keyword argument matching (match_name parameter)
- Add tuple indexing for nested arguments
- Add wildcard support in argument values
- Add comprehensive type hints
- Fix critical bugs in argument matching

Related PRs: #386, #389, #390

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@shivasurya shivasurya mentioned this pull request Nov 28, 2025
Merged
6 tasks
shivasurya added a commit that referenced this pull request Nov 28, 2025
@shivasurya @claude
chore(python-dsl): Bump version to 1.1.0 (#405)
e8ee8d9 
Release v1.1.0 includes enhanced argument matching capabilities:

- Add positional argument matching (match_position parameter)
- Add keyword argument matching (match_name parameter)
- Add tuple indexing for nested arguments
- Add wildcard support in argument values
- Add comprehensive type hints
- Fix critical bugs in argument matching

Related PRs: #386, #389, #390

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@shivasurya shivasurya

Labels

bug Something isn't working go Pull requests that update go code python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shivasurya