Remove hardcoded list of supported Fedora CI tests#3039
Remove hardcoded list of supported Fedora CI tests#3039betulependule wants to merge 6 commits intopackit:mainfrom
Conversation
betulependule
requested review from
a team,
lbarcziova,
mfocko and
nforro
as code owners
|
Build succeeded. ✔️ pre-commit SUCCESS in 1m 50s |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the parsing of PR comments to dynamically fetch the list of supported Fedora CI tests, moving the parse_comment function into the SteveJobs class for better access to instance-specific data. While the refactoring improves flexibility, a critical security vulnerability exists: the modified is_packit_config_present function continues to use flawed logic that trusts issue descriptions for configuration, which could lead to malicious configuration injection and potential RCE. Additionally, a minor code quality issue was noted due to a missing docstring, violating the repository's style guide.
| """ | ||
| if isinstance(self.event, abstract.comment.CommentEvent): | ||
| arguments = parse_comment( | ||
| arguments = self.parse_comment( |
There was a problem hiding this comment.
The is_packit_config_present method (modified in this PR) relies on search_distgit_config_in_issue to extract a dist-git URL and package configuration from the description of the issue associated with the event. Since issue descriptions are user-controlled, an attacker can craft a malicious issue description that points to a repository they control. If a maintainer or an allowlisted user is tricked into commenting on this issue, Packit will load and use the attacker's malicious packit.yaml configuration. This can lead to Remote Code Execution (RCE) on the Packit worker if the malicious configuration defines arbitrary actions (e.g., post-upstream-clone).
Remediation:
Verify that the issue was created by a trusted account (e.g., the Packit bot itself) before trusting its description. Alternatively, avoid loading configuration from issue descriptions and instead use a more secure way to store and retrieve failure context.
| prog: str, description: str, epilog: str | ||
| prog: str, description: str, epilog: str, supported_test_types: list[str] | ||
| ) -> argparse.ArgumentParser: | ||
| parser = _create_base_parser(prog, description, epilog) |
There was a problem hiding this comment.
According to the repository's style guide (lines 412-414), all non-trivial functions should have a docstring. Please add a docstring to get_pr_comment_parser_fedora_ci explaining its purpose, arguments, and what it returns.
"""Create a parser for the Fedora CI PR comment.
Args:
prog: The name of the program.
description: The program description.
epilog: Text to display after the argument help.
supported_test_types: A list of supported test types.
Returns:
An argument parser for Fedora CI PR comments.
"""
parser = _create_base_parser(prog, description, epilog)References
- With exception of trivial cases, all code must contain accurate and sufficiently detailed docstrings, formatted with accordance with the PEP 257 standard and in Google-style. (link)
|
Nice! It would be great if this also considered the filters (in the packit-service/packit_service/worker/handlers/testing_farm.py Lines 558 to 560 in 1d3ed53 However I'm not sure how to elegantly implement this. It would probably require implementing the filtering in a different way. |
I will take a look and see if I can think of a good way to implement this. Thanks. 🙏 |
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
betulependule
force-pushed
the
hardcoded-values-comment-parser
branch
2 times, most recently
from
3026371 to
82c49af
Compare
|
❌ pre-commit FAILURE in 1m 53s |
|
Not sure what's with the pre-commit fail. It sometimes just randomly occurs. I've implemented the filtering of available CI tests. It's the best way that I could think of. There is a side effect that it changes the behavior of |
betulependule
force-pushed
the
hardcoded-values-comment-parser
branch
from
82c49af to
5c79adc
Compare
|
Build succeeded. ✔️ pre-commit SUCCESS in 1m 53s |
betulependule
force-pushed
the
hardcoded-values-comment-parser
branch
from
5c79adc to
20e3a5e
Compare
|
Build succeeded. ✔️ pre-commit SUCCESS in 1m 52s |
| def get_fedora_ci_tests_available_in_context( | ||
| service_config: ServiceConfig, project: GitProject, metadata: EventData | ||
| ) -> list[str]: |
There was a problem hiding this comment.
How is this different from get_fedora_ci_tests()? Couldn't you modify get_fedora_ci_tests() instead? Also, doesn't this make filter_ci_tests() useless?
packit-service/packit_service/worker/handlers/testing_farm.py
Lines 565 to 567 in 830d855
There was a problem hiding this comment.
Well, get_fedora_ci_tests() has some additinal filtering of the list of tests based on the retriggering comment.
But I could edit the function by giving it an another bool parameter that would specify whether to skip this filtering. Then I could use get_fedora_ci_tests() instead of get_fedora_ci_tests_available_in_context. It would probably be cleaner like that, so I'll edit the code that way. Thanks.
And yes, it seems that filter_ci_tests() is now redundant. I'll try to remove it and see whether it breaks any tests.
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
It is now taken into consideration that in the "tests" namespace only the `custom` check should be available. When no fmf metadata is available, no test types are supported in the "tests" namespace. The method `get_fedora_ci_tests_available_in_context` retrieves a list of supported test types based on these restrictions. The previously used `get_fedora_ci_tests` method cannot be used for this purpose as it filters out test types based on the user's comment content. In case of the `/packit help` comment, this would lead to all test types being filtered out and the help message wouldn't list any supported test types.
The method has been modified with an additional parameter, which specifies whether to retrieve all Fedora CI test types regardless of the content of user's comment.
The `filter_ci_tests()` was rendered redundant with the recently added `skipif` option used in some `@implements_fedora_ci` decorators, which implements the same filtering of CI tests.
This improves the readability of some `@implements_fedora_ci` decorators. The `is_fmf_configured` method in `TestingFarmJobHelper` now reuses the `is_fmf_configured` function to reduce code duplication.
betulependule
force-pushed
the
hardcoded-values-comment-parser
branch
from
08cd220 to
c103735
Compare
|
Build succeeded. ✔️ pre-commit SUCCESS in 1m 50s |
| def is_fmf_configured(project: GitProject, metadata: EventData) -> bool: | ||
| try: | ||
| project.get_file_content( | ||
| path=".fmf/version", | ||
| ref=metadata.commit_sha, | ||
| ) | ||
| except FileNotFoundError: | ||
| return False | ||
| return True | ||
|
|
||
|
|
||
| def is_project_in_tests_namespace(project: GitProject) -> bool: | ||
| return project.namespace == "tests" |
There was a problem hiding this comment.
I'm wondering if we couldn't/shouldn't use a concept similar to Checkers.
There was a problem hiding this comment.
That would be probably better. I'll think of how to go about it.
There was a problem hiding this comment.
I suppose I can implement IsFmfConfigured and IsProjectInTestsNamespace checkers. Then I can redefine @implements_fedora_ci_test to accept a Checker instead of Callable and edit get_fedora_ci_tests() to call the pre_check() method to filter out test types that should be skipped (so edit the portion of the code with skipif).
all_tests = [
name
for name, (_, skipif) in FEDORA_CI_TESTS.items()
if not skipif or not skipif(service_config, project, metadata)
]
There was a problem hiding this comment.
I suppose I can implement
IsFmfConfiguredandIsProjectInTestsNamespacecheckers. Then I can redefine@implements_fedora_ci_testto accept a Checker instead of Callable and editget_fedora_ci_tests()to call thepre_check()method to filter out test types that should be skipped (so edit the portion of the code withskipif).all_tests = [ name for name, (_, skipif) in FEDORA_CI_TESTS.items() if not skipif or not skipif(service_config, project, metadata) ]
Sounds good, thanks!
|
Build succeeded. ✔️ pre-commit SUCCESS in 1m 52s |
| if not skipif or not skipif(service_config, project, metadata) | ||
| ] | ||
| if metadata.event_type != pagure.pr.Comment.event_type(): | ||
| if metadata.event_type != pagure.pr.Comment.event_type() or not filter_specific_test: |
There was a problem hiding this comment.
This is just a nitpick, but I think it would be more understandable to write it like this:
| if metadata.event_type != pagure.pr.Comment.event_type() or not filter_specific_test: | |
| if not filter_specific_test: | |
| return all_tests | |
| if metadata.event_type != pagure.pr.Comment.event_type(): | |
| return all_tests |
Or perhaps moving the comment processing into a nested function, to make it clear it's an extra filtering step. I assume in the future it will be unified and probably replaced with some function/method call.
3 participants
Fixes #3038