From 50be3da20e06b64e03b3004e952f64717a3106a5 Mon Sep 17 00:00:00 2001 From: Arnaud J Le Hors Date: Fri, 19 Nov 2021 16:11:28 +0100 Subject: [PATCH] Fix faulty shell file handling Parsing errors are meant to be discarded but aren't. This patch changes the code so that the error is indeed discarded and checking continues as intended and adds a unit test for it. Signed-off-by: Arnaud J Le Hors --- checks/shell_download_validate.go | 1 + checks/shell_download_validate_test.go | 19 +++++++++++++++++++ checks/testdata/script-invalid.sh | 17 +++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 checks/testdata/script-invalid.sh diff --git a/checks/shell_download_validate.go b/checks/shell_download_validate.go index 4e42b927de7..2cd8fc05b15 100644 --- a/checks/shell_download_validate.go +++ b/checks/shell_download_validate.go @@ -914,6 +914,7 @@ func validateShellFile(pathfn string, content []byte, dl checker.DetailLogger) ( if err != nil && errors.Is(err, sce.ErrorShellParsing) { // Discard and print this particular error for now. dl.Debug(err.Error()) + err = nil } return r, err } diff --git a/checks/shell_download_validate_test.go b/checks/shell_download_validate_test.go index 1b26b18eb59..7f3664f9c12 100644 --- a/checks/shell_download_validate_test.go +++ b/checks/shell_download_validate_test.go @@ -17,6 +17,8 @@ package checks import ( "os" "testing" + + scut "github.com/ossf/scorecard/v3/utests" ) func TestIsSupportedShellScriptFile(t *testing.T) { @@ -86,3 +88,20 @@ func TestIsSupportedShellScriptFile(t *testing.T) { }) } } + +func TestValidateShellFile(t *testing.T) { + t.Parallel() + filename := "testdata/script-invalid.sh" + var content []byte + var err error + + content, err = os.ReadFile(filename) + if err != nil { + t.Errorf("cannot read file: %v", err) + } + dl := scut.TestDetailLogger{} + _, err = validateShellFile(filename, content, &dl) + if err != nil { + t.Errorf("failed to discard shell parsing error: %v", err) + } +} diff --git a/checks/testdata/script-invalid.sh b/checks/testdata/script-invalid.sh new file mode 100644 index 00000000000..2f8645cc665 --- /dev/null +++ b/checks/testdata/script-invalid.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# Copyright 2021 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# syntax error: unexpected token 'fi' +fi