Fix checking validity of tmate-server-xxx parameters #105
Conversation
There was a problem hiding this comment.
I wonder how that ever worked... I assumed that the original contributor had tested it.
Now that I look at the code again, I cannot fail to notice how little sense it makes to validate all four inputs against the same regex. The port number, for example, should only contain digits, and start with a non-zero one.
So I would like to suggest moving the regex to a parameter that is passed to the getValidatedInput() function. And the different inputs should then have their own, different regexes.
Also, we will want to prevent an equally face-palm-triggering bug as a missing ! in the future. The way to do that is of course to add a regression test.
Here is an example how to mock getInput(), and here is code demonstrating how to verify that the tmate command is correct (you will need to figure out what execShellCommand is the tmate one).
For good measure, there should also be a test that verifies that invalid input triggers an error and not call tmate (or execShellCommand() at all, more likely).
Would you mind making those changes?
I agree with this, but I wanted to keep my changes as small as possible, so I decided to not change this.
This looks like a good idea, but as long as we're discussing this anyhow, let me ask another question: what is the purpose of this validation in the first place? The parameters come from the workflow file and the action code itself also comes (albeit indirectly) from the same workflow file, so there doesn't seem to be any security concerns here (you would be just attacking yourself, basically, by using malicious parameters). What's the worst that is going to happen if you pass an invalid value for any of those? Wouldn't we just get an error from I.e. do we really need the validation at all? And if we do, maybe we should just do
I'm not a JS/TS developer at all, so I might have some trouble with/it might take me some time to do this, but I'll try to do it, I agree that having tests would be good. But I'd like to see what do you think about the questions above first. TIA! |
Please do change it.
Usage mistakes are very easy to make. These validations help identify and rectify the mistakes. There is not really any security concern, but there is the concern that unhelpful error messages are such a pain.
Hah, neither am I. But the existing code is easy enough to imitate, no? FWIW if you have trouble figuring out how to run the tests, simply call |
Right, but AFAICS Are you sure you prefer to keep the exception (I promise not to ask again)? |
I would go for a
That's the easiest way to exit with error, even easier than |
Use appropriate regexes for each parameter instead of using the same, wrong, regex for all of them and fix the direction of test. Add unit tests to verify that the validation works as expected.
vadz
force-pushed
the
fix-option-validity-check
branch
from
ec8935a to
dc9bdec
Compare
|
I've finally implemented this (it took much longer than I thought due to my inexperience with JS and Jest) and it seems to work as expected. Please have a look at the new version. |
| const value = getValidatedInput(opt, options[opt]); | ||
| if (value !== undefined) { | ||
| setDefaultCommand = `${setDefaultCommand} set-option -g ${opt} "${value}" \\;`; | ||
| } |
There was a problem hiding this comment.
Strictly speaking, this is a change in behavior (while the code is much cleaner now, thank you!): previously, we required all those settings, or none. Now we accept a subset.
| __esModule: true, | ||
| ...originalModule, | ||
| execShellCommand: jest.fn(() => 'mocked execShellCommand'), | ||
| }; |
There was a problem hiding this comment.
Can't we mock the execShellCommand() function more elegantly?
|
@mxschmitt I can't release this right now, as I am typing this on a phone... if you have some time, would you mind? Otherwise I will do it as soon as I can. |
|
Okay, I'm on it. |
|
Hi, this seems to break the action when no tmate-server-host is specified (and it should thus fall back to the default). What I'm getting instead is |
Sorry for the breakage! Next version incoming... |
|
Oops, sorry about this, I'm on the phone now but should be back shortly and can test/fix/submit a new PR a bit later today if you'd like. |
|
@mxschmitt fixed it in #109 |
3 participants
Don't throw an exception if they match the expected form but rather if
they do not match it.
Also add colon to the list of allowed characters as it must be used in
the fingerprints (which have the form of "SHA256:xxxxxx").
Sorry if I'm missing something obvious here, but it seems that the check can't work as currently written: as soon as I add
to my work workflow, I get
and looking at the code it seems impossible to avoid this.
I believe that the intention was to negate this check, but even then it's still not quite right because we also need to allow colons here. But, again, perhaps I'm misunderstanding something here because I just don't see how could this have ever worked as written.