4 files changed, 142 insertions, 0 deletions
diff --git a/meta/lib/patchtest/patchtest_patterns.py b/meta/lib/patchtest/patchtest_patterns.py
index 8c2e192fc9..39c5a65d91 100644
--- a/meta/lib/patchtest/patchtest_patterns.py
+++ b/meta/lib/patchtest/patchtest_patterns.py
@@ -58,6 +58,8 @@ mbox_bugzilla = pyparsing.Regex('\[\s?YOCTO.*\]')
 mbox_bugzilla_validation = pyparsing.Regex('\[(\s?YOCTO\s?#\s?(\d+)\s?,?)+\]')
 mbox_revert_shortlog_regex = pyparsing.Regex('Revert\s+".*"')
 mbox_shortlog_maxlength = 90
+# based on https://stackoverflow.com/questions/30281026/regex-parsing-github-usernames-javascript
+mbox_github_username = pyparsing.Regex('\B@([a-z0-9](?:-(?=[a-z0-9])|[a-z0-9]){0,38}(?<=[a-z0-9]))')
 # patch
diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail
new file mode 100644
index 0000000000..9d54af9644
--- /dev/null
+++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail
@@ -0,0 +1,65 @@
+From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Fri, 31 May 2024 09:54:50 -0400
+Subject: [PATCH] selftest-hello: fix CVE-1234-56789
+This should fail the test_commit_message_user_tags test because of this
+string: @teststring
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ .../files/0001-Fix-CVE-1234-56789.patch       | 26 +++++++++++++++++++
+ .../selftest-hello/selftest-hello_1.0.bb      |  4 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+new file mode 100644
+index 00000000000..8a4f9329303
+--- /dev/null
+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+@@ -0,0 +1,26 @@
+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Tue, 29 Aug 2023 14:08:20 -0400
+Subject: [PATCH] Fix CVE-NOT-REAL
+
+CVE: CVE-1234-56789
+Upstream-Status: Backport(http://example.com/example)
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ strlen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/strlen.c b/strlen.c
+index 1788f38..83d7918 100644
+--- a/strlen.c
++++ b/strlen.c
+
+int main() {
+
+       printf("%d\n", str_len(string1));
+       printf("%d\n", str_len(string2));
+       printf("CVE FIXED!!!\n");
+
+       return 0;
+}
+diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+index 2dc352d479e..d937759f157 100644
+--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+@@ -3,7 +3,9 @@ SECTION = "examples"
+ LICENSE = "MIT"
+ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+ 
+-SRC_URI = "file://helloworld.c"
+SRC_URI = "file://helloworld.c \
+           file://0001-Fix-CVE-1234-56789.patch \
+          "
+ 
+ S = "${WORKDIR}/sources"
+ UNPACKDIR = "${S}"
+-- 
+2.45.1
diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass
new file mode 100644
index 0000000000..57f2fc8a8e
--- /dev/null
+++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass
@@ -0,0 +1,66 @@
+From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Fri, 31 May 2024 09:54:50 -0400
+Subject: [PATCH] selftest-hello: fix CVE-1234-56789
+This should pass the test_commit_message_user_tags test.
+CVE: CVE-1234-56789
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ .../files/0001-Fix-CVE-1234-56789.patch       | 26 +++++++++++++++++++
+ .../selftest-hello/selftest-hello_1.0.bb      |  4 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+new file mode 100644
+index 00000000000..8a4f9329303
+--- /dev/null
+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
+@@ -0,0 +1,26 @@
+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Tue, 29 Aug 2023 14:08:20 -0400
+Subject: [PATCH] Fix CVE-NOT-REAL
+
+CVE: CVE-1234-56789
+Upstream-Status: Backport(http://example.com/example)
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ strlen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/strlen.c b/strlen.c
+index 1788f38..83d7918 100644
+--- a/strlen.c
++++ b/strlen.c
+
+int main() {
+
+       printf("%d\n", str_len(string1));
+       printf("%d\n", str_len(string2));
+       printf("CVE FIXED!!!\n");
+
+       return 0;
+}
+diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+index 2dc352d479e..d937759f157 100644
+--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
+@@ -3,7 +3,9 @@ SECTION = "examples"
+ LICENSE = "MIT"
+ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+ 
+-SRC_URI = "file://helloworld.c"
+SRC_URI = "file://helloworld.c \
+           file://0001-Fix-CVE-1234-56789.patch \
+          "
+ 
+ S = "${WORKDIR}/sources"
+ UNPACKDIR = "${S}"
+-- 
+2.45.1
diff --git a/meta/lib/patchtest/tests/test_mbox.py b/meta/lib/patchtest/tests/test_mbox.py
index c0f9970686..dab733ea77 100644
--- a/meta/lib/patchtest/tests/test_mbox.py
+++ b/meta/lib/patchtest/tests/test_mbox.py
@@ -142,6 +142,15 @@ class TestMbox(base.Base):
            if not commit.commit_message.strip():
                self.fail('Please include a commit message on your patch explaining the change', commit=commit)
+    # This may incorrectly report a failure if something such as a
+    # Python decorator is included in the commit message, but this
+    # scenario is much less common than the username case it is written
+    # to protect against
+    def test_commit_message_user_tags(self):
+        for commit in self.commits:
+            if patchtest_patterns.mbox_github_username.search_string(commit.commit_message):
+                self.fail('Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames', commit=commit)
    def test_bugzilla_entry_format(self):
        for commit in self.commits:
            if not patchtest_patterns.mbox_bugzilla.search_string(commit.commit_message):

diff --git a/meta/lib/patchtest/patchtest_patterns.py b/meta/lib/patchtest/patchtest_patterns.py index 8c2e192fc9..39c5a65d91 100644 --- a/meta/lib/patchtest/patchtest_patterns.py +++ b/meta/lib/patchtest/patchtest_patterns.py
@@ -58,6 +58,8 @@ mbox_bugzilla = pyparsing.Regex('\[\s?YOCTO.*\]')
58	mbox_bugzilla_validation = pyparsing.Regex('\[(\s?YOCTO\s?#\s?(\d+)\s?,?)+\]')	58	mbox_bugzilla_validation = pyparsing.Regex('\[(\s?YOCTO\s?#\s?(\d+)\s?,?)+\]')
59	mbox_revert_shortlog_regex = pyparsing.Regex('Revert\s+".*"')	59	mbox_revert_shortlog_regex = pyparsing.Regex('Revert\s+".*"')
60	mbox_shortlog_maxlength = 90	60	mbox_shortlog_maxlength = 90
		61	# based on https://stackoverflow.com/questions/30281026/regex-parsing-github-usernames-javascript
		62	mbox_github_username = pyparsing.Regex('\B@([a-z0-9](?:-(?=[a-z0-9])\|[a-z0-9]){0,38}(?<=[a-z0-9]))')
61		63
62	# patch	64	# patch
63		65


diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail new file mode 100644 index 0000000000..9d54af9644 --- /dev/null +++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.fail
@@ -0,0 +1,65 @@
		1	From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
		2	From: Trevor Gamblin <tgamblin@baylibre.com>
		3	Date: Fri, 31 May 2024 09:54:50 -0400
		4	Subject: [PATCH] selftest-hello: fix CVE-1234-56789
		5
		6	This should fail the test_commit_message_user_tags test because of this
		7	string: @teststring
		8
		9	Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		10	---
		11	.../files/0001-Fix-CVE-1234-56789.patch \| 26 +++++++++++++++++++
		12	.../selftest-hello/selftest-hello_1.0.bb \| 4 ++-
		13	2 files changed, 29 insertions(+), 1 deletion(-)
		14	create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		15
		16	diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		17	new file mode 100644
		18	index 00000000000..8a4f9329303
		19	--- /dev/null
		20	+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		21	@@ -0,0 +1,26 @@
		22	+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
		23	+From: Trevor Gamblin <tgamblin@baylibre.com>
		24	+Date: Tue, 29 Aug 2023 14:08:20 -0400
		25	+Subject: [PATCH] Fix CVE-NOT-REAL
		26	+
		27	+CVE: CVE-1234-56789
		28	+Upstream-Status: Backport(http://example.com/example)
		29	+
		30	+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		31	+---
		32	+ strlen.c \| 1 +
		33	+ 1 file changed, 1 insertion(+)
		34	+
		35	+diff --git a/strlen.c b/strlen.c
		36	+index 1788f38..83d7918 100644
		37	+--- a/strlen.c
		38	++++ b/strlen.c
		39	+
		40	+int main() {
		41	+
		42	+ printf("%d\n", str_len(string1));
		43	+ printf("%d\n", str_len(string2));
		44	+ printf("CVE FIXED!!!\n");
		45	+
		46	+ return 0;
		47	+}
		48	diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		49	index 2dc352d479e..d937759f157 100644
		50	--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		51	+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		52	@@ -3,7 +3,9 @@ SECTION = "examples"
		53	LICENSE = "MIT"
		54	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
		55
		56	-SRC_URI = "file://helloworld.c"
		57	+SRC_URI = "file://helloworld.c \
		58	+ file://0001-Fix-CVE-1234-56789.patch \
		59	+ "
		60
		61	S = "${WORKDIR}/sources"
		62	UNPACKDIR = "${S}"
		63	--
		64	2.45.1
		65


diff --git a/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass new file mode 100644 index 0000000000..57f2fc8a8e --- /dev/null +++ b/meta/lib/patchtest/selftest/files/TestMbox.test_commit_message_user_tags.pass
@@ -0,0 +1,66 @@
		1	From c9519f11502d5bb5c143ed43b4c981b6a211bdf9 Mon Sep 17 00:00:00 2001
		2	From: Trevor Gamblin <tgamblin@baylibre.com>
		3	Date: Fri, 31 May 2024 09:54:50 -0400
		4	Subject: [PATCH] selftest-hello: fix CVE-1234-56789
		5
		6	This should pass the test_commit_message_user_tags test.
		7
		8	CVE: CVE-1234-56789
		9
		10	Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		11	---
		12	.../files/0001-Fix-CVE-1234-56789.patch \| 26 +++++++++++++++++++
		13	.../selftest-hello/selftest-hello_1.0.bb \| 4 ++-
		14	2 files changed, 29 insertions(+), 1 deletion(-)
		15	create mode 100644 meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		16
		17	diff --git a/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		18	new file mode 100644
		19	index 00000000000..8a4f9329303
		20	--- /dev/null
		21	+++ b/meta-selftest/recipes-test/selftest-hello/files/0001-Fix-CVE-1234-56789.patch
		22	@@ -0,0 +1,26 @@
		23	+From b26a31186e6ee2eb1f506d5f2f9394d327a0df2f Mon Sep 17 00:00:00 2001
		24	+From: Trevor Gamblin <tgamblin@baylibre.com>
		25	+Date: Tue, 29 Aug 2023 14:08:20 -0400
		26	+Subject: [PATCH] Fix CVE-NOT-REAL
		27	+
		28	+CVE: CVE-1234-56789
		29	+Upstream-Status: Backport(http://example.com/example)
		30	+
		31	+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
		32	+---
		33	+ strlen.c \| 1 +
		34	+ 1 file changed, 1 insertion(+)
		35	+
		36	+diff --git a/strlen.c b/strlen.c
		37	+index 1788f38..83d7918 100644
		38	+--- a/strlen.c
		39	++++ b/strlen.c
		40	+
		41	+int main() {
		42	+
		43	+ printf("%d\n", str_len(string1));
		44	+ printf("%d\n", str_len(string2));
		45	+ printf("CVE FIXED!!!\n");
		46	+
		47	+ return 0;
		48	+}
		49	diff --git a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		50	index 2dc352d479e..d937759f157 100644
		51	--- a/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		52	+++ b/meta-selftest/recipes-test/selftest-hello/selftest-hello_1.0.bb
		53	@@ -3,7 +3,9 @@ SECTION = "examples"
		54	LICENSE = "MIT"
		55	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
		56
		57	-SRC_URI = "file://helloworld.c"
		58	+SRC_URI = "file://helloworld.c \
		59	+ file://0001-Fix-CVE-1234-56789.patch \
		60	+ "
		61
		62	S = "${WORKDIR}/sources"
		63	UNPACKDIR = "${S}"
		64	--
		65	2.45.1
		66


diff --git a/meta/lib/patchtest/tests/test_mbox.py b/meta/lib/patchtest/tests/test_mbox.py index c0f9970686..dab733ea77 100644 --- a/meta/lib/patchtest/tests/test_mbox.py +++ b/meta/lib/patchtest/tests/test_mbox.py
@@ -142,6 +142,15 @@ class TestMbox(base.Base):
142	if not commit.commit_message.strip():	142	if not commit.commit_message.strip():
143	self.fail('Please include a commit message on your patch explaining the change', commit=commit)	143	self.fail('Please include a commit message on your patch explaining the change', commit=commit)
144		144
		145	# This may incorrectly report a failure if something such as a
		146	# Python decorator is included in the commit message, but this
		147	# scenario is much less common than the username case it is written
		148	# to protect against
		149	def test_commit_message_user_tags(self):
		150	for commit in self.commits:
		151	if patchtest_patterns.mbox_github_username.search_string(commit.commit_message):
		152	self.fail('Mbox includes one or more GitHub-style username tags. Ensure that any "@" symbols are stripped out of usernames', commit=commit)
		153
145	def test_bugzilla_entry_format(self):	154	def test_bugzilla_entry_format(self):
146	for commit in self.commits:	155	for commit in self.commits:
147	if not patchtest_patterns.mbox_bugzilla.search_string(commit.commit_message):	156	if not patchtest_patterns.mbox_bugzilla.search_string(commit.commit_message):