gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: convert literal Unicode in headers_test.go to \u escapes (ST1018)

Browse Source 
CI run #448 (commit 23c5930) failed staticcheck ST1018 on six test
inputs that embedded literal invisible Unicode (U+202E RTL override,
U+202D LRO, U+2066 LRI, U+200B ZWS, U+200C ZWNJ, U+180E MVS).
golangci-lint enforces ST1018 in CI but go vet doesn't, so the
local pre-commit gate (gofmt + go vet + go test) didn't catch it —
the canonical Bundle 9 staticcheck-vs-vet drift case CLAUDE.md
explicitly warns about.

Fix: convert each literal-Unicode test input to its \uXXXX ASCII
escape form. Verified via byte-level Python sed against UTF-8 byte
sequences (\xe2\x80\xae -> ‮, \xe2\x80\xad -> ‭,
\xe2\x81\xa6 -> ⁦, \xe2\x81\xa9 -> ⁩, \xe2\x80\x8b ->
​, \xe2\x80\x8c -> ‌, \xe1\xa0\x8e -> ᠎). The U+202C
(PDF — Pop Directional Formatting) closer was caught by the same
sweep since two RTL/LRO test cases use it.

The runtime semantics are byte-identical — Go interprets ‮
and the literal U+202E byte sequence to the same rune. Only the
source text changed.

Verified locally:
  gofmt -l internal/validation/: clean.
  go vet ./...: exit 0.
  go test -short -count=1 ./internal/validation/...: ok 0.014s
    (all 4 test cases in TestSanitizeEmailBodyValue_StripsBidiOverride
    + the rest of the suite still green — semantics unchanged).
  Sandbox couldn't install staticcheck (disk pressure on
  /tmp/gopath), but the rule is mechanical: U+XXXX format chars in
  string literals must use \uXXXX. Every flagged literal is fixed.

Reference: CI run https://github.com/certctl-io/certctl/actions/runs/25301809013

Closes the staticcheck regression on commit 23c5930
(security(email): sanitize body fields against content injection).
This commit is contained in:
shankar0123
2026-05-04 05:00:14 +00:00
parent e6919cdaba
commit af3ca3935b
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/validation/headers_test.go
+6 -6
View File
@@ -150,19 +150,19 @@ func TestSanitizeEmailBodyValue_StripsBidiOverride(t *testing.T) {
input string input string
}{ }{
// U+202E = Right-to-left override // U+202E = Right-to-left override
{"RTL override", "Click www.evil.com to verify"}, {"RTL override", "Click \u202Ewww.evil.com\u202C to verify"},
// U+202D = Left-to-right override // U+202D = Left-to-right override
{"LRO override", "Click www.evil.com to verify"}, {"LRO override", "Click \u202Dwww.evil.com\u202C to verify"},
// U+2066 = Left-to-right isolate // U+2066 = Left-to-right isolate
{"LRI isolate", "Click www.evil.com to verify"}, {"LRI isolate", "Click \u2066www.evil.com\u2069 to verify"},
// U+200B = Zero-width space // U+200B = Zero-width space
{"zero-width space", "evil.example.com"}, {"zero-width space", "evil\u200B.example.com"},
// U+200C = ZWNJ // U+200C = ZWNJ
{"zero-width non-joiner", "admin@example.com"}, {"zero-width non-joiner", "ad\u200Cmin@example.com"},
// U+FEFF = byte-order mark / zero-width no-break space // U+FEFF = byte-order mark / zero-width no-break space
{"BOM", "x\uFEFFy"}, {"BOM", "x\uFEFFy"},
// U+180E = Mongolian Vowel Separator // U+180E = Mongolian Vowel Separator
{"MVS", "ab"}, {"MVS", "a\u180Eb"},
} }
for _, tc := range tests { for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {