Skip to content

Implement sanitization of multi-pipe shell expansions#542

Merged
centosinfra-prod-github-app[bot] merged 1 commit into
mainfrom
sanitizer
Jul 2, 2026
Merged

Implement sanitization of multi-pipe shell expansions#542
centosinfra-prod-github-app[bot] merged 1 commit into
mainfrom
sanitizer

Conversation

@nforro

@nforro nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member

This fixes incorrect sanitization of a shell expansion in gnome-shell spec file that leads to an incorrect Source0 URL.

%define major_version %(c=%{version}; echo $c | cut -d. -f1 | cut -d~ -f1)

https://src.fedoraproject.org/rpms/gnome-shell/blob/f44/f/gnome-shell.spec#_2

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for converting multi-stage shell pipelines into composed Lua code during RPM macro sanitization, adding helper logic to process individual stages and updating the corresponding unit tests. The review feedback highlights several robustness improvements for the generated Lua code: using shlex.join to preserve shell quoting when reconstructing pipeline stages, clamping the end index in table.concat with math.min to avoid runtime errors on short inputs, and safely defaulting table lookups to empty strings during awk field concatenation to prevent nil concatenation crashes.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread specfile/sanitizer.py
Comment thread specfile/sanitizer.py
Comment thread specfile/sanitizer.py
@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for processing shell pipelines in the sanitizer by splitting commands into stages and composing them into a single Lua block. Feedback is provided to use shlex.join instead of " ".join when reconstructing the final pipeline stage to ensure arguments containing spaces are properly escaped.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread specfile/sanitizer.py
@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for converting multi-stage shell pipelines into equivalent Lua code blocks during RPM spec file sanitization, along with corresponding unit tests. The reviewer identified a correctness issue where a failure to convert any stage in a multi-stage pipeline causes the code to fall back to single-command sanitizers, which would incorrectly process only the first stage and ignore the rest. The reviewer suggested returning None immediately if any stage cannot be converted.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread specfile/sanitizer.py Outdated
@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for sanitizing shell pipelines by splitting commands into stages and composing corresponding Lua fragments. It also adds unit tests to verify this behavior. A critical issue was identified where using shlex.split in POSIX mode strips quotes, which can break pipeline splitting on quoted pipes and cause regex matching to fail on stripped arguments. It is recommended to use posix=False to preserve the original quotes.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread specfile/sanitizer.py Outdated
@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for sanitizing shell pipelines by splitting commands into stages and composing them into a single Lua block. Feedback points out that the 'bytes' mode in 'cut' generates the ':sub' method, which is blocked by the safety validator 'is_lua_safe'. It is recommended to return 'None' directly for this mode to avoid generating code that will inevitably fail validation.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread specfile/sanitizer.py Outdated
Signed-off-by: Nikola Forró <nforro@redhat.com>
Assisted-by: Claude Opus 4.6 via Claude Code
@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for sanitizing shell pipelines by translating multiple piped commands (such as cut, tr, awk, and sed) into a single composed Lua block. It extracts a new helper function _stage_to_lua_fragment to handle individual pipeline stages and updates convert_string_op to split and process these stages sequentially. Additionally, comprehensive unit tests have been added to verify the correct translation of various piped command combinations and edge cases. I have no feedback to provide as there are no review comments to assess.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@nforro

nforro commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/agentic_review

@nforro nforro added the mergeit Merge via Zuul label Jul 2, 2026
@centosinfra-prod-github-app

Copy link
Copy Markdown
Contributor

@centosinfra-prod-github-app
centosinfra-prod-github-app Bot merged commit 377a90e into main Jul 2, 2026
43 of 45 checks passed
@github-project-automation github-project-automation Bot moved this from In review to Done in Packit pull requests Jul 2, 2026
centosinfra-prod-github-app Bot added a commit to packit/packit-service that referenced this pull request Jul 2, 2026
Fix multi-release retries

Related to packit/specfile#542.
RELEASE NOTES BEGIN
When a package is configured to consume mutiple release streams and release-monitoring.org detects multiple releases at the same time, if a pull-from-upstream job run for one released version fails, only that one is retried and the rest are unaffected and properly processed. Before this fix it could happen that a failed job run for one released version could prevent other released versions from being processed at all.
RELEASE NOTES END

Reviewed-by: gemini-code-assist[bot]
Reviewed-by: Maja Massarini
@nforro
nforro deleted the sanitizer branch July 2, 2026 07:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mergeit Merge via Zuul

Projects

Development

Successfully merging this pull request may close these issues.

3 participants