fix: apply stricter config validation

Author: dessant

README.md

@@ -43,7 +43,7 @@ daysUntilLock: 365
 # follow ISO 8601 (`YYYY-MM-DD`). Set to `false` to disable
 skipCreatedBefore: false
 
-# Issues and pull requests with these labels will not be locked. Set to `[]` to disable
+# Issues and pull requests with these labels will be ignored. Set to `[]` to disable
 exemptLabels: []
 
 # Label to add before locking, such as `outdated`. Set to `false` to disable

assets/app-description.md

@@ -24,7 +24,7 @@ daysUntilLock: 365
 # follow ISO 8601 (`YYYY-MM-DD`). Set to `false` to disable
 skipCreatedBefore: false
 
-# Issues and pull requests with these labels will not be locked. Set to `[]` to disable
+# Issues and pull requests with these labels will be ignored. Set to `[]` to disable
 exemptLabels: []
 
 # Label to add before locking, such as `outdated`. Set to `false` to disable

src/lock.js

@@ -76,7 +76,7 @@ module.exports = class Lock {
     }
 
     if (skipCreatedBefore) {
-      query += ` created:>${skipCreatedBefore}`;
+      query += ` created:>${this.getISOTimestamp(skipCreatedBefore)}`;
     }
 
     if (type === 'issues') {
@@ -93,14 +93,18 @@ module.exports = class Lock {
       per_page: 30
     })).data.items;
 
-    // `is:unlocked` search qualifier is undocumented, skip wrong results
+    // `is:unlocked` search qualifier is undocumented, skip locked issues
     return results.filter(issue => !issue.locked);
   }
 
   getUpdatedTimestamp(days) {
     const ttl = days * 24 * 60 * 60 * 1000;
     const date = new Date(new Date() - ttl);
-    return date.toISOString().replace(/\.\d{3}\w$/, '');
+    return this.getISOTimestamp(date);
+  }
+
+  getISOTimestamp(date) {
+    return date.toISOString().split('.')[0] + 'Z';
   }
 
   getConfigValue(type, key) {

src/schema.js

@@ -9,27 +9,47 @@ const fields = {
     ),
 
   skipCreatedBefore: Joi.alternatives()
-    .try(Joi.string(), Joi.boolean().only(false))
+    .try(
+      Joi.date()
+        .iso()
+        .min('1970-01-01T00:00:00Z')
+        .max('2970-12-31T23:59:59Z'),
+      Joi.boolean().only(false)
+    )
     .description(
       'Skip issues and pull requests created before a given timestamp. Timestamp ' +
         'must follow ISO 8601 (`YYYY-MM-DD`). Set to `false` to disable'
     ),
 
   exemptLabels: Joi.array()
     .single()
-    .items(Joi.string())
+    .items(
+      Joi.string()
+        .trim()
+        .max(50)
+    )
     .description(
       'Issues and pull requests with these labels will not be locked. Set to `[]` to disable'
     ),
 
   lockLabel: Joi.alternatives()
-    .try(Joi.string(), Joi.boolean().only(false))
+    .try(
+      Joi.string()
+        .trim()
+        .max(50),
+      Joi.boolean().only(false)
+    )
     .description(
       'Label to add before locking, such as `outdated`. Set to `false` to disable'
     ),
 
   lockComment: Joi.alternatives()
-    .try(Joi.string(), Joi.boolean().only(false))
+    .try(
+      Joi.string()
+        .trim()
+        .max(10000),
+      Joi.boolean().only(false)
+    )
     .description('Comment to post before locking. Set to `false` to disable'),
 
   setLockReason: Joi.boolean().description(
@@ -49,11 +69,15 @@ const schema = Joi.object().keys({
   ),
   setLockReason: fields.setLockReason.default(true),
   only: Joi.string()
+    .trim()
     .valid('issues', 'pulls')
     .description('Limit to only `issues` or `pulls`'),
   pulls: Joi.object().keys(fields),
   issues: Joi.object().keys(fields),
-  _extends: Joi.string().description('Repository to extend settings from'),
+  _extends: Joi.string()
+    .trim()
+    .max(260)
+    .description('Repository to extend settings from'),
   perform: Joi.boolean().default(!process.env.DRY_RUN)
 });