patchtest: add test_commit_message_user_tags

This test makes patchtest check to ensure that there aren't any GitHub-style user account names being tagged in the commit message, e.g. it should catch lines like: "fix added by @threexc" This is desired so that if (for example) we add upstream changelogs in recipe upgrade commit messages verbatim, we don't end up subscribing any associated maintainers to our repo mirrors' updates by accident. There is a small possibility of a false positive with this test, where if someone is mentioning Python decorators in their commit message (or similar syntax from other languages), it will fail when it should pass. However, having this test in place to guard against username inclusion is more important that the occasional false positive for that reason. With this addition, a failure will look like: |FAIL: test commit message user tags: Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames (test_mbox.TestMbox.test_commit_message_user_tags) (From OE-Core rev: 8278d82d8203212bb159eb3805d4a5617c5370df) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Trevor Gamblin <tgamblin@baylibre.com> 2024-10-04 09:39:54 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-10-23 17:35:23 +0100
commit: dab2dcae89d349366edc3cfa09c312fab8cf14b8 (patch)
tree: 934f0badbfb21c52b465a5f801374115f340393e /meta/lib/patchtest
parent: a20bbe112331c1cb99a78a7263d3f76a083ad13b (diff)
download: poky-dab2dcae89d349366edc3cfa09c312fab8cf14b8.tar.gz
4 files changed, 142 insertions, 0 deletions
diff --git a/meta/lib/patchtest/patchtest_patterns.py b/meta/lib/patchtest/patchtest_patterns.py
index 8c2e192fc9..39c5a65d91 100644
--- a/meta/lib/patchtest/patchtest_patterns.py
+++ b/meta/lib/patchtest/patchtest_patterns.py
@@ -58,6 +58,8 @@ mbox_bugzilla = pyparsing.Regex('\[\s?YOCTO.*\]')
 mbox_bugzilla_validation = pyparsing.Regex('\[(\s?YOCTO\s?#\s?(\d+)\s?,?)+\]')
 mbox_revert_shortlog_regex = pyparsing.Regex('Revert\s+".*"')
 mbox_shortlog_maxlength = 90
+# based on https://stackoverflow.com/questions/30281026/regex-parsing-github-usernames-javascript
+mbox_github_username = pyparsing.Regex('\B@([a-z0-9](?:-(?=[a-z0-9])|[a-z0-9]){0,38}(?<=[a-z0-9]))')
 # patch
diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail
new file mode 100644
index 0000000000..9d54af9644
--- /dev/null
+++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail
@@ -0,0 +1,65 @@
+From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Fri, 31 May 2024 09:54:50 -0400
+Subject: [PATCH] selftest-hello: fix CVE-1234-56789
+This should fail the test_commit_message_user_tags test because of this
+string: @teststring
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ .../files/0001-Fix-CVE-1234-56789.patch       | 26 +++++++++++++++++++
+ .../selftest-hello/selftest-hello_1.0.bb      |  4 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+new file mode 100644
+index 00000000000..8a4f9329303
+--- /dev/null
+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+@@ -0,0 +1,26 @@
+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Tue, 29 Aug 2023 14:08:20 -0400
+Subject: [PATCH] Fix CVE-NOT-REAL
+
+CVE: CVE-1234-56789
+Upstream-Status: Backport(http://example.com/example)
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ strlen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/strlen.c b/strlen.c
+index 1788f38..83d7918 100644
+--- a/strlen.c
++++ b/strlen.c
+
+int main() {
+
+       printf("%d\n", str_len(string1));
+       printf("%d\n", str_len(string2));
+       printf("CVE FIXED!!!\n");
+
+       return 0;
+}
+diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+index 2dc352d479e..d937759f157 100644
+--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+@@ -3,7 +3,9 @@ SECTION = "examples"
+ LICENSE = "MIT"
+ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+ 
+-SRC_URI = "file://helloworld.c"
+SRC_URI = "file://helloworld.c \
+           file://0001-Fix-CVE-1234-56789.patch \
+          "
+ 
+ S = "${WORKDIR}/sources"
+ UNPACKDIR = "${S}"
+-- 
+2.45.1
diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass
new file mode 100644
index 0000000000..57f2fc8a8e
--- /dev/null
+++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass
@@ -0,0 +1,66 @@
+From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Fri, 31 May 2024 09:54:50 -0400
+Subject: [PATCH] selftest-hello: fix CVE-1234-56789
+This should pass the test_commit_message_user_tags test.
+CVE: CVE-1234-56789
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ .../files/0001-Fix-CVE-1234-56789.patch       | 26 +++++++++++++++++++
+ .../selftest-hello/selftest-hello_1.0.bb      |  4 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+new file mode 100644
+index 00000000000..8a4f9329303
+--- /dev/null
+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+@@ -0,0 +1,26 @@
+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Tue, 29 Aug 2023 14:08:20 -0400
+Subject: [PATCH] Fix CVE-NOT-REAL
+
+CVE: CVE-1234-56789
+Upstream-Status: Backport(http://example.com/example)
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ strlen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/strlen.c b/strlen.c
+index 1788f38..83d7918 100644
+--- a/strlen.c
++++ b/strlen.c
+
+int main() {
+
+       printf("%d\n", str_len(string1));
+       printf("%d\n", str_len(string2));
+       printf("CVE FIXED!!!\n");
+
+       return 0;
+}
+diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+index 2dc352d479e..d937759f157 100644
+--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+@@ -3,7 +3,9 @@ SECTION = "examples"
+ LICENSE = "MIT"
+ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+ 
+-SRC_URI = "file://helloworld.c"
+SRC_URI = "file://helloworld.c \
+           file://0001-Fix-CVE-1234-56789.patch \
+          "
+ 
+ S = "${WORKDIR}/sources"
+ UNPACKDIR = "${S}"
+-- 
+2.45.1
diff --git a/meta/lib/patchtest/tests/test_mbox.py b/meta/lib/patchtest/tests/test_mbox.py
index c0f9970686..dab733ea77 100644
--- a/meta/lib/patchtest/tests/test_mbox.py
+++ b/meta/lib/patchtest/tests/test_mbox.py
@@ -142,6 +142,15 @@ class TestMbox(base.Base):
            if not commit.commit_message.strip():
                self.fail('Please include a commit message on your patch explaining the change', commit=commit)
+    # This may incorrectly report a failure if something such as a
+    # Python decorator is included in the commit message, but this
+    # scenario is much less common than the username case it is written
+    # to protect against
+    def test_commit_message_user_tags(self):
+        for commit in self.commits:
+            if patchtest_patterns.mbox_github_username.search_string(commit.commit_message):
+                self.fail('Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames', commit=commit)
    def test_bugzilla_entry_format(self):
        for commit in self.commits:
            if not patchtest_patterns.mbox_bugzilla.search_string(commit.commit_message):
author	Trevor Gamblin <tgamblin@baylibre.com>	2024-10-04 09:39:54 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-10-23 17:35:23 +0100
commit	dab2dcae89d349366edc3cfa09c312fab8cf14b8 (patch)
tree	934f0badbfb21c52b465a5f801374115f340393e /meta/lib/patchtest
parent	a20bbe112331c1cb99a78a7263d3f76a083ad13b (diff)
download	poky-dab2dcae89d349366edc3cfa09c312fab8cf14b8.tar.gz

diff --git a/meta/lib/patchtest/patchtest_patterns.py b/meta/lib/patchtest/patchtest_patterns.py index 8c2e192fc9..39c5a65d91 100644 --- a/meta/lib/patchtest/patchtest_patterns.py +++ b/meta/lib/patchtest/patchtest_patterns.py
@@ -58,6 +58,8 @@ mbox_bugzilla = pyparsing.Regex('\[\s?YOCTO.*\]')
58	mbox_bugzilla_validation = pyparsing.Regex('\[(\s?YOCTO\s?#\s?(\d+)\s?,?)+\]')	58	mbox_bugzilla_validation = pyparsing.Regex('\[(\s?YOCTO\s?#\s?(\d+)\s?,?)+\]')
59	mbox_revert_shortlog_regex = pyparsing.Regex('Revert\s+".*"')	59	mbox_revert_shortlog_regex = pyparsing.Regex('Revert\s+".*"')
60	mbox_shortlog_maxlength = 90	60	mbox_shortlog_maxlength = 90
		61	# based on https://stackoverflow.com/questions/30281026/regex-parsing-github-usernames-javascript
		62	mbox_github_username = pyparsing.Regex('\B@([a-z0-9](?:-(?=[a-z0-9])\|[a-z0-9]){0,38}(?<=[a-z0-9]))')
61		63
62	# patch	64	# patch
63		65


diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail new file mode 100644 index 0000000000..9d54af9644 --- /dev/null +++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail
@@ -0,0 +1,65 @@
		1	From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
		2	From: Trevor Gamblin <tgamblin@baylibre.com>
		3	Date: Fri, 31 May 2024 09:54:50 -0400
		4	Subject: [PATCH] selftest-hello: fix CVE-1234-56789
		5
		6	This should fail the test_commit_message_user_tags test because of this
		7	string: @teststring
		8
		9	Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		10	---
		11	.../files/0001-Fix-CVE-1234-56789.patch \| 26 +++++++++++++++++++
		12	.../selftest-hello/selftest-hello_1.0.bb \| 4 ++-
		13	2 files changed, 29 insertions(+), 1 deletion(-)
		14	create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		15
		16	diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		17	new file mode 100644
		18	index 00000000000..8a4f9329303
		19	--- /dev/null
		20	+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		21	@@ -0,0 +1,26 @@
		22	+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
		23	+From: Trevor Gamblin <tgamblin@baylibre.com>
		24	+Date: Tue, 29 Aug 2023 14:08:20 -0400
		25	+Subject: [PATCH] Fix CVE-NOT-REAL
		26	+
		27	+CVE: CVE-1234-56789
		28	+Upstream-Status: Backport(http://example.com/example)
		29	+
		30	+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		31	+---
		32	+ strlen.c \| 1 +
		33	+ 1 file changed, 1 insertion(+)
		34	+
		35	+diff --git a/strlen.c b/strlen.c
		36	+index 1788f38..83d7918 100644
		37	+--- a/strlen.c
		38	++++ b/strlen.c
		39	+
		40	+int main() {
		41	+
		42	+ printf("%d\n", str_len(string1));
		43	+ printf("%d\n", str_len(string2));
		44	+ printf("CVE FIXED!!!\n");
		45	+
		46	+ return 0;
		47	+}
		48	diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		49	index 2dc352d479e..d937759f157 100644
		50	--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		51	+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		52	@@ -3,7 +3,9 @@ SECTION = "examples"
		53	LICENSE = "MIT"
		54	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
		55
		56	-SRC_URI = "file://helloworld.c"
		57	+SRC_URI = "file://helloworld.c \
		58	+ file://0001-Fix-CVE-1234-56789.patch \
		59	+ "
		60
		61	S = "${WORKDIR}/sources"
		62	UNPACKDIR = "${S}"
		63	--
		64	2.45.1
		65


diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass new file mode 100644 index 0000000000..57f2fc8a8e --- /dev/null +++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass
@@ -0,0 +1,66 @@
		1	From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
		2	From: Trevor Gamblin <tgamblin@baylibre.com>
		3	Date: Fri, 31 May 2024 09:54:50 -0400
		4	Subject: [PATCH] selftest-hello: fix CVE-1234-56789
		5
		6	This should pass the test_commit_message_user_tags test.
		7
		8	CVE: CVE-1234-56789
		9
		10	Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		11	---
		12	.../files/0001-Fix-CVE-1234-56789.patch \| 26 +++++++++++++++++++
		13	.../selftest-hello/selftest-hello_1.0.bb \| 4 ++-
		14	2 files changed, 29 insertions(+), 1 deletion(-)
		15	create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		16
		17	diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		18	new file mode 100644
		19	index 00000000000..8a4f9329303
		20	--- /dev/null
		21	+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		22	@@ -0,0 +1,26 @@
		23	+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
		24	+From: Trevor Gamblin <tgamblin@baylibre.com>
		25	+Date: Tue, 29 Aug 2023 14:08:20 -0400
		26	+Subject: [PATCH] Fix CVE-NOT-REAL
		27	+
		28	+CVE: CVE-1234-56789
		29	+Upstream-Status: Backport(http://example.com/example)
		30	+
		31	+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		32	+---
		33	+ strlen.c \| 1 +
		34	+ 1 file changed, 1 insertion(+)
		35	+
		36	+diff --git a/strlen.c b/strlen.c
		37	+index 1788f38..83d7918 100644
		38	+--- a/strlen.c
		39	++++ b/strlen.c
		40	+
		41	+int main() {
		42	+
		43	+ printf("%d\n", str_len(string1));
		44	+ printf("%d\n", str_len(string2));
		45	+ printf("CVE FIXED!!!\n");
		46	+
		47	+ return 0;
		48	+}
		49	diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		50	index 2dc352d479e..d937759f157 100644
		51	--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		52	+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		53	@@ -3,7 +3,9 @@ SECTION = "examples"
		54	LICENSE = "MIT"
		55	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
		56
		57	-SRC_URI = "file://helloworld.c"
		58	+SRC_URI = "file://helloworld.c \
		59	+ file://0001-Fix-CVE-1234-56789.patch \
		60	+ "
		61
		62	S = "${WORKDIR}/sources"
		63	UNPACKDIR = "${S}"
		64	--
		65	2.45.1
		66


diff --git a/meta/lib/patchtest/tests/test_mbox.py b/meta/lib/patchtest/tests/test_mbox.py index c0f9970686..dab733ea77 100644 --- a/meta/lib/patchtest/tests/test_mbox.py +++ b/meta/lib/patchtest/tests/test_mbox.py
@@ -142,6 +142,15 @@ class TestMbox(base.Base):
142	if not commit.commit_message.strip():	142	if not commit.commit_message.strip():
143	self.fail('Please include a commit message on your patch explaining the change', commit=commit)	143	self.fail('Please include a commit message on your patch explaining the change', commit=commit)
144		144
		145	# This may incorrectly report a failure if something such as a
		146	# Python decorator is included in the commit message, but this
		147	# scenario is much less common than the username case it is written
		148	# to protect against
		149	def test_commit_message_user_tags(self):
		150	for commit in self.commits:
		151	if patchtest_patterns.mbox_github_username.search_string(commit.commit_message):
		152	self.fail('Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames', commit=commit)
		153
145	def test_bugzilla_entry_format(self):	154	def test_bugzilla_entry_format(self):
146	for commit in self.commits:	155	for commit in self.commits:
147	if not patchtest_patterns.mbox_bugzilla.search_string(commit.commit_message):	156	if not patchtest_patterns.mbox_bugzilla.search_string(commit.commit_message):