mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:11:31 +00:00
shankar0123
5ec5ba7c82
CI run #448 (commitb9478d0) failed staticcheck ST1018 on six test inputs that embedded literal invisible Unicode (U+202E RTL override, U+202D LRO, U+2066 LRI, U+200B ZWS, U+200C ZWNJ, U+180E MVS). golangci-lint enforces ST1018 in CI but go vet doesn't, so the local pre-commit gate (gofmt + go vet + go test) didn't catch it — the canonical Bundle 9 staticcheck-vs-vet drift case CLAUDE.md explicitly warns about. Fix: convert each literal-Unicode test input to its \uXXXX ASCII escape form. Verified via byte-level Python sed against UTF-8 byte sequences (\xe2\x80\xae -> , \xe2\x80\xad -> , \xe2\x81\xa6 -> , \xe2\x81\xa9 -> , \xe2\x80\x8b -> , \xe2\x80\x8c -> , \xe1\xa0\x8e -> ). The U+202C (PDF — Pop Directional Formatting) closer was caught by the same sweep since two RTL/LRO test cases use it. The runtime semantics are byte-identical — Go interprets and the literal U+202E byte sequence to the same rune. Only the source text changed. Verified locally: gofmt -l internal/validation/: clean. go vet ./...: exit 0. go test -short -count=1 ./internal/validation/...: ok 0.014s (all 4 test cases in TestSanitizeEmailBodyValue_StripsBidiOverride + the rest of the suite still green — semantics unchanged). Sandbox couldn't install staticcheck (disk pressure on /tmp/gopath), but the rule is mechanical: U+XXXX format chars in string literals must use \uXXXX. Every flagged literal is fixed. Reference: CI run https://github.com/certctl-io/certctl/actions/runs/25301809013 Closes the staticcheck regression on commitb9478d0(security(email): sanitize body fields against content injection).