Skip to content

fix(cli): warn but skip remote lookup for a malformed services project ref#5802

Merged
Coly010 merged 2 commits into
developfrom
columferry/cli-1872-services-decide-malformed-ref-behavior-go-warn-and-proceed
Jul 7, 2026
Merged

fix(cli): warn but skip remote lookup for a malformed services project ref#5802
Coly010 merged 2 commits into
developfrom
columferry/cli-1872-services-decide-malformed-ref-behavior-go-warn-and-proceed

Conversation

@Coly010

@Coly010 Coly010 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

What is the current behavior?

On a malformed linked project ref, Go's services command validates the ref (flags.LoadProjectRef) but only warns to stderr on failure and still proceeds to call the remote tenant lookup with the bad ref (cmd/services.go, internal/services/services.go:61-62). The TypeScript port silently skipped the remote lookup on a malformed ref with no warning at all, and services/SIDE_EFFECTS.md mis-attributed that silent skip to Go.

Fixes CLI-1872.

What is the new behavior?

TS now prints the same warning Go would print (Invalid project ref format. Must be like \abcdefghijklmnopqrst`., reusing the constant already exported from legacy-project-ref.service.ts), matching Go's stderr ordering. Unlike Go, TS deliberately does **not** then proceed with the malformed ref — the ref gets embedded unescaped into the tenant gateway hostname in fetchLinkedServiceVersions, so proceeding would let a malformed/tampered ref redirect the service-role key to an attacker-controlled host. This is an intentional, documented TS-only divergence (SSRF hardening), not a parity bug — see the updated SIDE_EFFECTS.mdand the new "Behavioral divergences" section indocs/go-cli-porting-status.md`.

Reviewed via a 4-way parallel pass (architect/engineer/security/DX); security and engineer approved outright, architect approved after closing a branch-coverage gap on the exact code this PR restructured, and DX surfaced that the identical Go idiom (flags.LoadProjectRef's warn-and-continue) is also unhandled in projects list and a few resolveOptional callers — filed as CLI-1900 for its own dedicated audit, since each caller needs independent verification against its Go counterpart rather than a blanket fix.

Coly010 added 2 commits July 6, 2026 21:56
…t ref

Go's `cmd/services.go` validates the linked ref but only warns on failure and
still calls listRemoteImages with the malformed value. TS now warns the same
way but deliberately does not proceed with the bad ref, since it gets
embedded unescaped into the tenant gateway hostname — keeping the existing
SSRF hardening instead of matching Go's warn-and-proceed behavior.

Fixes CLI-1872
- Match Go's stderr ordering (ref-format warning before config-load warning)
- Close a branch-coverage gap: add integration coverage for the valid-ref +
  logged-in remote-fetch path that this change restructured
- Correct resolveOptional's doc comment, which claimed Go skips validation
  entirely on its soft-load path when Go actually validates and warns, just
  doesn't fail the command
- Note the untrimmed SUPABASE_PROJECT_ID env var and cross-reference the
  divergence from the Notes section of SIDE_EFFECTS.md for discoverability

Filed CLI-1900 to audit other resolveOptional callers (projects list, db
dump/query) for the same missing warning, since each needs its own
Go-parity verification rather than a blanket fix.
@Coly010

Coly010 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 441342eebc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/cli/src/legacy/commands/services/services.handler.ts
@Coly010 Coly010 self-assigned this Jul 7, 2026
@Coly010 Coly010 marked this pull request as ready for review July 7, 2026 10:47
@Coly010 Coly010 requested a review from a team as a code owner July 7, 2026 10:47
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Supabase CLI preview

npx --yes https://pkg.pr.new/supabase/cli/supabase@441342eebc86b1e5495e9f9181d6d6fea797bb92

Preview package for commit 441342e.

@Coly010 Coly010 added this pull request to the merge queue Jul 7, 2026
Merged via the queue into develop with commit badb074 Jul 7, 2026
41 checks passed
@Coly010 Coly010 deleted the columferry/cli-1872-services-decide-malformed-ref-behavior-go-warn-and-proceed branch July 7, 2026 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants