From af3ca3935b2ae020533325c1d1d9f13bc4bbb776 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Mon, 4 May 2026 05:00:14 +0000 Subject: [PATCH] ci: convert literal Unicode in headers_test.go to \u escapes (ST1018) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI run #448 (commit 23c5930) failed staticcheck ST1018 on six test inputs that embedded literal invisible Unicode (U+202E RTL override, U+202D LRO, U+2066 LRI, U+200B ZWS, U+200C ZWNJ, U+180E MVS). golangci-lint enforces ST1018 in CI but go vet doesn't, so the local pre-commit gate (gofmt + go vet + go test) didn't catch it — the canonical Bundle 9 staticcheck-vs-vet drift case CLAUDE.md explicitly warns about. Fix: convert each literal-Unicode test input to its \uXXXX ASCII escape form. Verified via byte-level Python sed against UTF-8 byte sequences (\xe2\x80\xae -> ‮, \xe2\x80\xad -> ‭, \xe2\x81\xa6 -> ⁦, \xe2\x81\xa9 -> ⁩, \xe2\x80\x8b -> ​, \xe2\x80\x8c -> ‌, \xe1\xa0\x8e -> ᠎). The U+202C (PDF — Pop Directional Formatting) closer was caught by the same sweep since two RTL/LRO test cases use it. The runtime semantics are byte-identical — Go interprets ‮ and the literal U+202E byte sequence to the same rune. Only the source text changed. Verified locally: gofmt -l internal/validation/: clean. go vet ./...: exit 0. go test -short -count=1 ./internal/validation/...: ok 0.014s (all 4 test cases in TestSanitizeEmailBodyValue_StripsBidiOverride + the rest of the suite still green — semantics unchanged). Sandbox couldn't install staticcheck (disk pressure on /tmp/gopath), but the rule is mechanical: U+XXXX format chars in string literals must use \uXXXX. Every flagged literal is fixed. Reference: CI run https://github.com/certctl-io/certctl/actions/runs/25301809013 Closes the staticcheck regression on commit 23c5930 (security(email): sanitize body fields against content injection). --- internal/validation/headers_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/validation/headers_test.go b/internal/validation/headers_test.go index c6bfa2d..e0541ce 100644 --- a/internal/validation/headers_test.go +++ b/internal/validation/headers_test.go @@ -150,19 +150,19 @@ func TestSanitizeEmailBodyValue_StripsBidiOverride(t *testing.T) { input string }{ // U+202E = Right-to-left override - {"RTL override", "Click ‮www.evil.com‬ to verify"}, + {"RTL override", "Click \u202Ewww.evil.com\u202C to verify"}, // U+202D = Left-to-right override - {"LRO override", "Click ‭www.evil.com‬ to verify"}, + {"LRO override", "Click \u202Dwww.evil.com\u202C to verify"}, // U+2066 = Left-to-right isolate - {"LRI isolate", "Click ⁦www.evil.com⁩ to verify"}, + {"LRI isolate", "Click \u2066www.evil.com\u2069 to verify"}, // U+200B = Zero-width space - {"zero-width space", "evil​.example.com"}, + {"zero-width space", "evil\u200B.example.com"}, // U+200C = ZWNJ - {"zero-width non-joiner", "ad‌min@example.com"}, + {"zero-width non-joiner", "ad\u200Cmin@example.com"}, // U+FEFF = byte-order mark / zero-width no-break space {"BOM", "x\uFEFFy"}, // U+180E = Mongolian Vowel Separator - {"MVS", "a᠎b"}, + {"MVS", "a\u180Eb"}, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) {