HackMD - Collaborative Markdown Knowledge Base

- When `false`: Both formats accepted (backward compatible) # TOCTOU Race Condition Mitigation Implementation ## Overview Add support for `/ok-to-test SHA` format to eliminate race condition vulnerability, supporting both short (7+ characters) and full (40-64 characters) SHA formats. ## Key Changes ### 1. Configuration Setting - Add `RequireOkToTestSHA bool` to `pkg/params/settings/config.go` - JSON tag: `json:"require-ok-to-test-sha"` (default: `false`) - Document in `config/302-pac-configmap.yaml` - When `true`: Only `/ok-to-test SHA` format accepted - When `false`: Both formats accepted (backward compatible) ### 2. Regex Patterns - Update `pkg/acl/regexp.go`: Pattern `(^|\n)\/ok-to-test(\s+[a-f0-9]{7,64})?(\r\n|\r|\n|$)` - Supports short SHA (7-39 chars) and full SHA (40 for SHA-1, 64 for SHA-256) - Update `pkg/opscomments/comments.go`: Pattern `(?m)^/ok-to-test(\s+[a-f0-9]{7,64})?$` ### 3. SHA Extraction - Add `GetSHAFromOkToTestComment(comment string) string` in `pkg/opscomments/comments.go` - Extracts SHA from comment, returns empty string if not provided - Handles both short and full SHA formats ### 4. GitHub Handler Validation - In `pkg/provider/github/parse_payload.go` `handleIssueCommentEvent()`: - Extract SHA if present in comment - Check `v.pacInfo.RequireOkToTestSHA`: - If `true` and no SHA: Reject with error message - If `false` and no SHA: Allow (backward compatible) - After `getPullRequest()`, validate provided SHA: - If short SHA: Check if it's a prefix of PR HEAD SHA - If full SHA: Exact match with PR HEAD SHA - If mismatch: Log error, post PR comment, reject ok-to-test - If match: Proceed normally ### 5. SHA Validation Logic - Short SHA (7-39 chars): Validate as prefix of full SHA - Full SHA-1 (40 chars): Exact match required - Full SHA-256 (64 chars): Exact match required (future-proofing) - Invalid format: Reject if setting requires SHA, otherwise treat as old format ## Files to Modify 1. `pkg/params/settings/config.go` - Add `RequireOkToTestSHA` setting 2. `config/302-pac-configmap.yaml` - Document new setting 3. `pkg/acl/regexp.go` - Update regex pattern 4. `pkg/opscomments/comments.go` - Update regex, add SHA extraction function 5. `pkg/provider/github/parse_payload.go` - Add SHA validation in `handleIssueCommentEvent` 6. `pkg/opscomments/comments_test.go` - Test SHA extraction 7. `pkg/acl/regexp_test.go` - Test regex with short/full SHA 8. `pkg/provider/github/acl_test.go` - Test enforcement setting and validation 9. `pkg/params/settings/config_test.go` - Test new setting ## Testing Requirements - Unit tests: Regex matching with short (7, 12 chars) and full (40, 64 chars) SHA - Unit tests: SHA extraction from various comment formats - Integration tests: GitHub webhook with `/ok-to-test SHA` (short and full) - Integration tests: SHA validation when SHA matches (prefix and exact) - Integration tests: SHA validation when SHA doesn't match - Integration tests: Backward compatibility with old format - Integration tests: Enforcement setting rejection when SHA required but not provided