fix(git): avoid panic when parsing non-standard git version output#5059
Open
ardittirana wants to merge 1 commit into
Open
fix(git): avoid panic when parsing non-standard git version output#5059ardittirana wants to merge 1 commit into
ardittirana wants to merge 1 commit into
Conversation
CmdCheck extracted the git version with the regex `\d+\.\d+\.\d+` and then
indexed versionParts[0] and versionParts[1] unconditionally. Some git
builds report a non-numeric patch component, e.g. `git version
2.52.gaea8cc3`. The regex finds no match there, so FindString returns ""
and strings.Split("", ".") yields a one-element slice, making
versionParts[1] panic with "index out of range [1] with length 1".
Match only the major and minor components (`\d+\.\d+`) — which are the
only parts used by the check — so such versions parse correctly, and
guard against output with no parseable version instead of indexing
blindly. The parsing/comparison logic is extracted into checkGitVersion
so it can be unit tested. No new dependencies.
Fixes trufflesecurity#4801.
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #4801.
Problem
CmdCheckextracts the git version with the regex\d+\.\d+\.\d+and then indexesversionParts[0]andversionParts[1]without checking the length:Some git builds report a non-numeric patch component, e.g.
git version 2.52.gaea8cc3(reported in the issue). Thex.y.zregex finds no match,FindStringreturns"", andstrings.Split("", ".")returns a one-element slice — soversionParts[1]panics with exactly:Fix
\d+\.\d+). Those are the only parts the check uses, and this makes versions like2.52.gaea8cc3parse correctly (major 2, minor 52 → valid) instead of failing to match.checkGitVersion(string) errorso it can be unit tested.No new dependencies (stdlib only).
Test
Adds
cmd_check_test.gocovering the previously-panicking dev-build string, the supported/boundary versions (2.20, 2.39, Apple suffix), out-of-range versions, and unparseable/empty output. Verified the dev-build case panics onmainand passes with this change.Note
Low Risk
Small, localized change to startup git version validation with added tests; no auth, data, or API behavior changes beyond failing safely instead of panicking.
Overview
Fixes a panic in
CmdCheckwhengit --versionreports a non-numeric patch (e.g.2.52.gaea8cc3): the oldx.y.zregex could return no match, leaving too few split segments and indexingversionParts[1]unsafely.Version parsing now uses major.minor only (
\d+\.\d+), returns a clear error when nothing parseable is found, and moves comparison intocheckGitVersionfor unit tests.cmd_check_test.gocovers the dev-build case, supported bounds, Apple suffixes, rejections, and bad/empty output.Reviewed by Cursor Bugbot for commit dbf210f. Bugbot is set up for automated code reviews on this repo. Configure here.