Remove hardcoded list of supported Fedora CI tests#3039
Remove hardcoded list of supported Fedora CI tests#3039betulependule wants to merge 1 commit intopackit:mainfrom
Conversation
betulependule
requested review from
a team,
lbarcziova,
mfocko and
nforro
as code owners
|
Build succeeded. ✔️ pre-commit SUCCESS in 1m 50s |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the parsing of PR comments to dynamically fetch the list of supported Fedora CI tests, moving the parse_comment function into the SteveJobs class for better access to instance-specific data. While the refactoring improves flexibility, a critical security vulnerability exists: the modified is_packit_config_present function continues to use flawed logic that trusts issue descriptions for configuration, which could lead to malicious configuration injection and potential RCE. Additionally, a minor code quality issue was noted due to a missing docstring, violating the repository's style guide.
| """ | ||
| if isinstance(self.event, abstract.comment.CommentEvent): | ||
| arguments = parse_comment( | ||
| arguments = self.parse_comment( |
There was a problem hiding this comment.
The is_packit_config_present method (modified in this PR) relies on search_distgit_config_in_issue to extract a dist-git URL and package configuration from the description of the issue associated with the event. Since issue descriptions are user-controlled, an attacker can craft a malicious issue description that points to a repository they control. If a maintainer or an allowlisted user is tricked into commenting on this issue, Packit will load and use the attacker's malicious packit.yaml configuration. This can lead to Remote Code Execution (RCE) on the Packit worker if the malicious configuration defines arbitrary actions (e.g., post-upstream-clone).
Remediation:
Verify that the issue was created by a trusted account (e.g., the Packit bot itself) before trusting its description. Alternatively, avoid loading configuration from issue descriptions and instead use a more secure way to store and retrieve failure context.
| prog: str, description: str, epilog: str | ||
| prog: str, description: str, epilog: str, supported_test_types: list[str] | ||
| ) -> argparse.ArgumentParser: | ||
| parser = _create_base_parser(prog, description, epilog) |
There was a problem hiding this comment.
According to the repository's style guide (lines 412-414), all non-trivial functions should have a docstring. Please add a docstring to get_pr_comment_parser_fedora_ci explaining its purpose, arguments, and what it returns.
"""Create a parser for the Fedora CI PR comment.
Args:
prog: The name of the program.
description: The program description.
epilog: Text to display after the argument help.
supported_test_types: A list of supported test types.
Returns:
An argument parser for Fedora CI PR comments.
"""
parser = _create_base_parser(prog, description, epilog)References
- With exception of trivial cases, all code must contain accurate and sufficiently detailed docstrings, formatted with accordance with the PEP 257 standard and in Google-style. (link)
| # tests expect invalid syntax comments be ignored | ||
| logger.debug( | ||
| f"Comment {comment} uses unexpected syntax or contains unsupported commands. " | ||
| "It will be ignored.", | ||
| ) | ||
| return ParsedComment() |
There was a problem hiding this comment.
Wouldn't some feedback be nice? Implementing a response comment should be simple, we already provide feedback for accepted retrigger tasks:
packit-service/packit_service/worker/jobs.py
Line 1339 in 1d3ed53
We could either forward the error from the SystemExit exception or use parser.parse_known_args() and report unknown arguments.
There was a problem hiding this comment.
Yes, it would definitely be ideal to respond in a comment when this kind of error occurs. Should I open a new PR regarding this?
|
Nice! It would be great if this also considered the filters (in the packit-service/packit_service/worker/handlers/testing_farm.py Lines 558 to 560 in 1d3ed53 However I'm not sure how to elegantly implement this. It would probably require implementing the filtering in a different way. |
I will take a look and see if I can think of a good way to implement this. Thanks. 🙏 |
2 participants
Fixes #3038