gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-12 03:09:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge fix/bundle-9-st1018-lint: ST1018 ESC sweep + make verify pre-commit gate

Browse Source
This commit is contained in:
Shankar
2026-04-26 21:17:20 +00:00
parent 9d4d8d49ac 1d0733f170
commit f091fdbcf2
3 changed files with 37 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+20 -1
View File
@@ -1,4 +1,4 @@
.PHONY: help build run test lint clean docker-up docker-down migrate-up migrate-down generate test-cover frontend-build .PHONY: help build run test lint verify clean docker-up docker-down migrate-up migrate-down generate test-cover frontend-build
# Default target - show help # Default target - show help
help: help:
@@ -15,6 +15,7 @@ help:
@echo " make test-verbose Run tests with verbose output" @echo " make test-verbose Run tests with verbose output"
@echo " make lint Run linter (golangci-lint)" @echo " make lint Run linter (golangci-lint)"
@echo " make fmt Format code with gofmt" @echo " make fmt Format code with gofmt"
@echo " make verify Pre-commit gate: fmt + vet + lint + test (CI-parity)"
@echo "" @echo ""
@echo "Database:" @echo "Database:"
@echo " make migrate-up Run migrations (requires DB_URL)" @echo " make migrate-up Run migrations (requires DB_URL)"
@@ -97,6 +98,24 @@ vet:
@echo "Running go vet..." @echo "Running go vet..."
go vet ./... go vet ./...
# verify: aggregate pre-commit gate. Mirrors what CI enforces, so
# running `make verify` locally before committing prevents the
# class of breakages that ship green-locally / red-on-CI (e.g.
# Bundle-9's ST1018 invisible-Unicode-literal hits, which `go vet`
# alone cannot catch — staticcheck under golangci-lint does).
verify:
@echo "==> fmt"
@go fmt ./... | { ! grep -q '.'; } || (echo "gofmt produced changes — commit them" && exit 1)
@echo "==> go vet ./..."
@go vet ./...
@echo "==> golangci-lint run ./... (incl. staticcheck ST*)"
@which golangci-lint > /dev/null || (echo "Installing golangci-lint..." && go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest)
@golangci-lint run ./... --timeout 5m
@echo "==> go test -short ./..."
@go test -short -count=1 ./...
@echo ""
@echo "verify: PASS — safe to commit"
# Database targets (requires migrate tool) # Database targets (requires migrate tool)
migrate-up: migrate-up:
@echo "Running migrations..." @echo "Running migrations..."
internal/connector/issuer/local/bundle9_coverage_test.go
+3 -3
View File
@@ -395,7 +395,7 @@ func TestValidateCSRUnicode_RejectsCNHomograph(t *testing.T) {
func TestValidateCSRUnicode_RejectsDNSNameRTL(t *testing.T) { func TestValidateCSRUnicode_RejectsDNSNameRTL(t *testing.T) {
csr := &x509.CertificateRequest{ csr := &x509.CertificateRequest{
Subject: pkix.Name{CommonName: "ok.com"}, Subject: pkix.Name{CommonName: "ok.com"},
DNSNames: []string{"goodevil.com"}, DNSNames: []string{"good\u202Eevil.com"},
} }
err := validateCSRUnicode(csr, nil) err := validateCSRUnicode(csr, nil)
if err == nil { if err == nil {
@@ -409,7 +409,7 @@ func TestValidateCSRUnicode_RejectsDNSNameRTL(t *testing.T) {
func TestValidateCSRUnicode_RejectsEmailZeroWidth(t *testing.T) { func TestValidateCSRUnicode_RejectsEmailZeroWidth(t *testing.T) {
csr := &x509.CertificateRequest{ csr := &x509.CertificateRequest{
Subject: pkix.Name{CommonName: "ok.com"}, Subject: pkix.Name{CommonName: "ok.com"},
EmailAddresses: []string{"goodbad@example.com"}, EmailAddresses: []string{"good\u200Bbad@example.com"},
} }
err := validateCSRUnicode(csr, nil) err := validateCSRUnicode(csr, nil)
if err == nil { if err == nil {
@@ -424,7 +424,7 @@ func TestValidateCSRUnicode_RejectsAdditionalSAN(t *testing.T) {
csr := &x509.CertificateRequest{ csr := &x509.CertificateRequest{
Subject: pkix.Name{CommonName: "ok.com"}, Subject: pkix.Name{CommonName: "ok.com"},
} }
err := validateCSRUnicode(csr, []string{"goodevil.com"}) err := validateCSRUnicode(csr, []string{"good\u202Eevil.com"})
if err == nil { if err == nil {
t.Fatal("expected rejection for additional SAN RTL") t.Fatal("expected rejection for additional SAN RTL")
} }
internal/validation/unicode_test.go
+14 -14
View File
@@ -36,15 +36,15 @@ func TestValidateUnicodeSafe_RejectsRTLOverride(t *testing.T) {
name string name string
in string in string
}{ }{
{"LRE", "goodcom"}, {"LRE", "good\u202Acom"},
{"RLE", "goodcom"}, {"RLE", "good\u202Bcom"},
{"PDF", "goodcom"}, {"PDF", "good\u202Ccom"},
{"LRO", "goodcom"}, {"LRO", "good\u202Dcom"},
{"RLO", "goodcom"}, {"RLO", "good\u202Ecom"},
{"LRI", "goodcom"}, {"LRI", "good\u2066com"},
{"RLI", "goodcom"}, {"RLI", "good\u2067com"},
{"FSI", "goodcom"}, {"FSI", "good\u2068com"},
{"PDI", "goodcom"}, {"PDI", "good\u2069com"},
} }
for _, c := range cases { for _, c := range cases {
t.Run(c.name, func(t *testing.T) { t.Run(c.name, func(t *testing.T) {
@@ -64,10 +64,10 @@ func TestValidateUnicodeSafe_RejectsZeroWidth(t *testing.T) {
name string name string
in string in string
}{ }{
{"ZWSP", "goodcom"}, {"ZWSP", "good\u200Bcom"},
{"ZWNJ", "goodcom"}, {"ZWNJ", "good\u200Ccom"},
{"ZWJ", "goodcom"}, {"ZWJ", "good\u200Dcom"},
{"WJ", "goodcom"}, {"WJ", "good\u2060com"},
{"BOM", "good\uFEFFcom"}, {"BOM", "good\uFEFFcom"},
} }
for _, c := range cases { for _, c := range cases {
@@ -141,7 +141,7 @@ func TestValidateUnicodeSafe_AcceptsPureNonASCII(t *testing.T) {
} }
func TestValidateUnicodeSafe_ErrorMentionsByteOffset(t *testing.T) { func TestValidateUnicodeSafe_ErrorMentionsByteOffset(t *testing.T) {
in := "goodevil.com" in := "good\u202Eevil.com"
err := ValidateUnicodeSafe(in) err := ValidateUnicodeSafe(in)
if err == nil { if err == nil {
t.Fatal("expected rejection") t.Fatal("expected rejection")