Files
MokoGitea-Fork/services/security/code_scanner_test.go
T
jmiller 2f119fbd95
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 16s
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Generic: Project CI / Lint & Validate (pull_request) Successful in 44s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 1m29s
Universal: PR Check / Secret Scan (pull_request) Successful in 3m49s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
fix(security): code scanner panics at startup on RE2-incompatible regexp
The "deserialize-yaml-py" rule in services/security/code_scanner.go used a
negative lookahead `(?!\s*#)` in regexp.MustCompile. Go's regexp engine is
RE2, which has no lookahead/lookbehind, so MustCompile panics during the
package init() — crash-looping the entire server at startup. `go build` and
`go vet` do not execute init(), and CI never boots the binary, so this
shipped to main via #552 undetected; the running instances survived only
because they predate that image.

Replace the pattern with an RE2-safe equivalent `(?i)yaml\.load\s*\(`, which
matches the rule's stated intent (flag yaml.load() without SafeLoader,
CWE-502). Add a regression test that forces the package init and asserts
every DefaultCodeRules pattern compiled, so a future RE2-incompatible
pattern fails in CI here instead of on a live deploy.

Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
2026-07-05 15:06:57 -05:00

24 lines
832 B
Go

// Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
// SPDX-License-Identifier: GPL-3.0-or-later
package security
import "testing"
// TestDefaultCodeRulesCompile forces the package init, which builds every scanner
// rule's regexp via regexp.MustCompile, and asserts each pattern is present. Go's
// regexp engine is RE2 and rejects Perl-only constructs (lookahead/lookbehind/
// backreferences) by panicking in MustCompile at init — which crash-loops the
// server at startup. This test executes that init so such a pattern fails CI here
// instead of on a live deploy.
func TestDefaultCodeRulesCompile(t *testing.T) {
if len(DefaultCodeRules) == 0 {
t.Fatal("DefaultCodeRules is empty")
}
for _, r := range DefaultCodeRules {
if r.Pattern == nil {
t.Errorf("rule %q has a nil Pattern", r.ID)
}
}
}