Commit 4a3f999
fix(ado-script): address code-review findings (CVE bump, hardening, pagination, timeouts)
Addresses every blocker and should-fix item from the deep code review of
the new scripts/ado-script/ TypeScript workspace.
Blocking
- vitest 2.1.9 -> 4.1.6: clears all 5 moderate-severity npm audit findings
(vitest / vite / esbuild / @vitest/mocker / vite-node). No test API
changes needed -- all 172 existing tests pass unmodified on Vitest 4.
- GATE_SPEC DoS guard (src/gate/index.ts): cap base64-decoded spec at
256 KiB before JSON.parse. ADO env vars are ~32 KiB max so this is two
orders of magnitude above any realistic spec.
Hardening
- Glob ReDoS in-place hardening (src/gate/predicates.ts):
- cap pattern length at 1024 chars
- cap '*' wildcards at 64 per pattern
- pre-compile RegExp cache (Map) with 1024-entry FIFO eviction
- rejected patterns log a warning + return false (fail-closed)
- + 3 new vitest cases
- Pre-flight predicate-tree validator (validatePredicateTree, called from
index.ts main right after JSON.parse): walks the full tree and throws on
any unknown 'type' discriminant *before* fact acquisition. Closes the
gap where an unknown predicate was only surfaced when evaluatePredicate
reached it -- if the required fact was unavailable, the unknown type was
silently skipped. + 7 new vitest cases covering each known type, nested
unknowns under and/or/not, missing operands/operand.
ADO REST client (src/shared/ado-client.ts)
- 30-second per-attempt timeout via Promise + setTimeout (configurable via
ADO_API_TIMEOUT_MS env var); timeouts are treated as transient so the
existing one-shot retry path catches them. + 2 new vitest cases.
- getIterationChanges now paginates via 'top'/'skip' (page size 100, 100-
page cap, 'short page' termination); + 2 new vitest cases. The SDK does
not paginate getPullRequestIterations (ADO REST API returns all in one
call) so that one is documented but left as-is.
Operational
- Lazy import of azure-devops-node-api in src/shared/auth.ts (dynamic
import inside getWebApi). Entry-point bundle dropped from ~1.1 MB to
78 KB; the SDK is now in a separate 2.7 MB ncc chunk loaded only when
an ADO API call is made. Bypass-only / pipeline-var-only runs save the
cold-start tax. 'zip -r ado-script/dist' in release.yml continues to
package both chunks.
- ado-script CI workflow now also runs on push to main, not only PR, so
any drift in types.gen.ts that slips through (e.g. from a force-push or
bypassed CI) is caught loudly the moment it lands on main.
- New ADO_API_TIMEOUT_MS env var documented in docs/ado-script.md.
Test counts: 186 vitest (was 172), 1519 cargo unit. cargo clippy clean.
npm audit clean.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>1 parent 1534284 commit 4a3f999
11 files changed
Lines changed: 1113 additions & 880 deletions
File tree
- .github/workflows
- docs
- scripts/ado-script
- src
- gate
- __tests__/ports
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
12 | 26 | | |
13 | 27 | | |
14 | 28 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
120 | 120 | | |
121 | 121 | | |
122 | 122 | | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
123 | 136 | | |
124 | 137 | | |
125 | 138 | | |
| |||
0 commit comments