From ea814c8568e516e340b6af60fec54bd909f23fad Mon Sep 17 00:00:00 2001 From: OMpawar-21 Date: Wed, 22 Apr 2026 19:05:05 +0530 Subject: [PATCH 1/2] fix: resolve critical security vulnerabilities in Python test report generator. --- Scripts/generate_test_report.py | 44 ++++++++++++++------------------- 1 file changed, 18 insertions(+), 26 deletions(-) diff --git a/Scripts/generate_test_report.py b/Scripts/generate_test_report.py index effc165..5fff6ef 100644 --- a/Scripts/generate_test_report.py +++ b/Scripts/generate_test_report.py @@ -35,13 +35,9 @@ def __init__(self, trx_path, coverage_path=None): self.file_coverage = [] def parse_trx(self): - # Create a secure XML parser that disables external entity processing - parser = ET.XMLParser() - parser.parser.DefaultHandler = lambda data: None - parser.parser.ExternalEntityRefHandler = lambda context, base, uri, notationName: False - parser.parser.EntityDeclHandler = lambda entityName, is_parameter_entity, value, base, systemId, notationName, publicId: False - - tree = ET.parse(self.trx_path, parser) + # Use defusedxml for secure XML parsing + from defusedxml.ElementTree import parse + tree = parse(self.trx_path) root = tree.getroot() ns = {'t': 'http://microsoft.com/schemas/VisualStudio/TeamTest/2010'} @@ -121,13 +117,9 @@ def parse_coverage(self): if not self.coverage_path or not os.path.exists(self.coverage_path): return try: - # Create a secure XML parser that disables external entity processing - parser = ET.XMLParser() - parser.parser.DefaultHandler = lambda data: None - parser.parser.ExternalEntityRefHandler = lambda context, base, uri, notationName: False - parser.parser.EntityDeclHandler = lambda entityName, is_parameter_entity, value, base, systemId, notationName, publicId: False - - tree = ET.parse(self.coverage_path, parser) + # Use defusedxml for secure XML parsing + from defusedxml.ElementTree import parse + tree = parse(self.coverage_path) root = tree.getroot() self.coverage['lines_pct'] = float(root.get('line-rate', 0)) * 100 self.coverage['branches_pct'] = float(root.get('branch-rate', 0)) * 100 @@ -221,6 +213,18 @@ def _parse_condition_coverage(cond_str): return int(m.group(2)), int(m.group(3)) return 0, 0 + @staticmethod + def _esc(text): + if text is None: + return "" + text = str(text) + return (text + .replace('&', '&') + .replace('<', '<') + .replace('>', '>') + .replace('"', '"') + .replace("'", ''')) + @staticmethod def _sanitize_xml_attribute_value(value): """Sanitize XML attribute value to prevent XPath injection.""" @@ -259,18 +263,6 @@ def _validate_output_path(output_path): return normalized_path - @staticmethod - def _esc(text): - if text is None: - return "" - text = str(text) - return (text - .replace('&', '&') - .replace('<', '<') - .replace('>', '>') - .replace('"', '"') - .replace("'", ''')) - def _format_duration_display(self, seconds): if seconds < 60: return f"{seconds:.1f}s" From 6b9dc64b3b56472e004c85999072221ecb7e9013 Mon Sep 17 00:00:00 2001 From: harshitha-cstk Date: Wed, 29 Apr 2026 08:12:50 +0530 Subject: [PATCH 2/2] chore: align release workflows with new development-to-main process --- .github/workflows/back-merge-pr.yml | 54 +++++++++++++++ .github/workflows/check-branch.yml | 20 ------ .github/workflows/check-version-bump.yml | 86 ++++++++++++++++++++++++ AGENTS.md | 2 +- skills/code-review/SKILL.md | 2 +- skills/dev-workflow/SKILL.md | 5 +- 6 files changed, 145 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/back-merge-pr.yml delete mode 100644 .github/workflows/check-branch.yml create mode 100644 .github/workflows/check-version-bump.yml diff --git a/.github/workflows/back-merge-pr.yml b/.github/workflows/back-merge-pr.yml new file mode 100644 index 0000000..02b378c --- /dev/null +++ b/.github/workflows/back-merge-pr.yml @@ -0,0 +1,54 @@ +name: Back-merge master to development + +on: + push: + branches: + - master + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + +jobs: + open-back-merge-pr: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Open back-merge PR if needed + env: + GH_TOKEN: ${{ github.token }} + run: | + set -euo pipefail + BASE_BRANCH="development" + SOURCE_BRANCH="master" + + git fetch origin "$BASE_BRANCH" "$SOURCE_BRANCH" + + if ! git show-ref --verify --quiet "refs/remotes/origin/$BASE_BRANCH"; then + echo "Base branch '$BASE_BRANCH' does not exist on origin; skipping." + exit 0 + fi + + SOURCE_SHA=$(git rev-parse "origin/$SOURCE_BRANCH") + BASE_SHA=$(git rev-parse "origin/$BASE_BRANCH") + + if [ "$SOURCE_SHA" = "$BASE_SHA" ]; then + echo "$SOURCE_BRANCH and $BASE_BRANCH are at the same commit; nothing to back-merge." + exit 0 + fi + + EXISTING=$(gh pr list --repo "${{ github.repository }}" --base "$BASE_BRANCH" --head "$SOURCE_BRANCH" --state open --json number --jq 'length') + + if [ "$EXISTING" -gt 0 ]; then + echo "An open PR from $SOURCE_BRANCH to $BASE_BRANCH already exists; skipping." + exit 0 + fi + + gh pr create --repo "${{ github.repository }}" --base "$BASE_BRANCH" --head "$SOURCE_BRANCH" --title "chore: back-merge $SOURCE_BRANCH into $BASE_BRANCH" --body "Automated back-merge after changes landed on \\`$SOURCE_BRANCH\\`. Review and merge to keep \\`$BASE_BRANCH\\` in sync." + + echo "Created back-merge PR $SOURCE_BRANCH -> $BASE_BRANCH." diff --git a/.github/workflows/check-branch.yml b/.github/workflows/check-branch.yml deleted file mode 100644 index e79864e..0000000 --- a/.github/workflows/check-branch.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: 'Check Branch' - -on: - pull_request: - -jobs: - check_branch: - runs-on: ubuntu-latest - steps: - - name: Comment PR - if: github.base_ref == 'master' && github.head_ref != 'staging' - uses: thollander/actions-comment-pull-request@v2 - with: - message: | - We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch. - - name: Check branch - if: github.base_ref == 'master' && github.head_ref != 'staging' - run: | - echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch." - exit 1 \ No newline at end of file diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml new file mode 100644 index 0000000..8e71000 --- /dev/null +++ b/.github/workflows/check-version-bump.yml @@ -0,0 +1,86 @@ +name: Check Version Bump + +on: + pull_request: + +jobs: + version-bump: + name: Version & Changelog bump + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Detect changed files and version bump + id: detect + run: | + if git rev-parse HEAD^2 >/dev/null 2>&1; then + FILES=$(git diff --name-only HEAD^1 HEAD^2) + else + FILES=$(git diff --name-only HEAD~1 HEAD) + fi + VERSION_FILES_CHANGED=false + echo "$FILES" | grep -qx 'package.json' && VERSION_FILES_CHANGED=true + echo "$FILES" | grep -qx 'CHANGELOG.md' && VERSION_FILES_CHANGED=true + echo "version_files_changed=$VERSION_FILES_CHANGED" >> $GITHUB_OUTPUT + # Only lib/, webpack/, dist/, package.json count as release-affecting; .github/ and test/ do not + CODE_CHANGED=false + echo "$FILES" | grep -qE '^lib/|^webpack/|^dist/' && CODE_CHANGED=true + echo "$FILES" | grep -qx 'package.json' && CODE_CHANGED=true + echo "code_changed=$CODE_CHANGED" >> $GITHUB_OUTPUT + + - name: Skip when only test/docs/.github changed + if: steps.detect.outputs.code_changed != 'true' + run: | + echo "No release-affecting files changed (e.g. only test/docs/.github). Skipping version-bump check." + exit 0 + + - name: Fail when version bump was missed + if: steps.detect.outputs.code_changed == 'true' && steps.detect.outputs.version_files_changed != 'true' + run: | + echo "::error::This PR has code changes but no version bump. Please bump the version in package.json and add an entry in CHANGELOG.md." + exit 1 + + - name: Setup Node + if: steps.detect.outputs.code_changed == 'true' && steps.detect.outputs.version_files_changed == 'true' + uses: actions/setup-node@v4 + with: + node-version: '22.x' + + - name: Check version bump + if: steps.detect.outputs.code_changed == 'true' && steps.detect.outputs.version_files_changed == 'true' + run: | + set -e + PKG_VERSION=$(node -p "require('./package.json').version.replace(/^v/, '')") + if [ -z "$PKG_VERSION" ]; then + echo "::error::Could not read version from package.json" + exit 1 + fi + git fetch --tags --force 2>/dev/null || true + LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || true) + if [ -z "$LATEST_TAG" ]; then + echo "No existing tags found. Skipping version-bump check (first release)." + exit 0 + fi + LATEST_VERSION="${LATEST_TAG#v}" + LATEST_VERSION="${LATEST_VERSION%%-*}" + if [ "$(printf '%s\n' "$LATEST_VERSION" "$PKG_VERSION" | sort -V | tail -1)" != "$PKG_VERSION" ]; then + echo "::error::Version bump required: package.json version ($PKG_VERSION) is not greater than latest tag ($LATEST_TAG). Please bump the version in package.json." + exit 1 + fi + if [ "$PKG_VERSION" = "$LATEST_VERSION" ]; then + echo "::error::Version bump required: package.json version ($PKG_VERSION) equals latest tag ($LATEST_TAG). Please bump the version in package.json." + exit 1 + fi + CHANGELOG_VERSION=$(sed -nE 's/^## \[v?([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' CHANGELOG.md | head -1) + if [ -z "$CHANGELOG_VERSION" ]; then + echo "::error::Could not find a version entry in CHANGELOG.md (expected line like '## [v1.0.0](...)')." + exit 1 + fi + if [ "$CHANGELOG_VERSION" != "$PKG_VERSION" ]; then + echo "::error::CHANGELOG version mismatch: CHANGELOG.md top version ($CHANGELOG_VERSION) does not match package.json version ($PKG_VERSION). Please add or update the CHANGELOG entry for $PKG_VERSION." + exit 1 + fi + echo "Version bump check passed: package.json and CHANGELOG.md are at $PKG_VERSION (latest tag: $LATEST_TAG)." diff --git a/AGENTS.md b/AGENTS.md index c1a49d7..9141008 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -38,7 +38,7 @@ | Workflow | Trigger | Role | |----------|---------|------| | [`unit-test.yml`](.github/workflows/unit-test.yml) | `pull_request`, `push` | Windows: unit tests via `Scripts/run-unit-test-case.sh`. | -| [`check-branch.yml`](.github/workflows/check-branch.yml) | `pull_request` | Merges into **`master`** are only allowed from **`staging`** (otherwise fails with a PR comment). | +| [`back-merge-pr.yml`](.github/workflows/back-merge-pr.yml) | `push` on `master`, manual dispatch | Opens automated back-merge PRs from `master` to `development` to keep branches aligned. | | [`nuget-publish.yml`](.github/workflows/nuget-publish.yml) | `release` (created) | `dotnet pack -c Release -o out`; push package to NuGet.org and GitHub Packages. | | [`sca-scan.yml`](.github/workflows/sca-scan.yml) | PR (opened, synchronize, reopened) | Ubuntu: `dotnet restore`, **Snyk** `snyk test` under `Contentstack.Utils`. | | [`policy-scan.yml`](.github/workflows/policy-scan.yml) | PR (public repos) | Requires `SECURITY.md` and a license file containing the current year. | diff --git a/skills/code-review/SKILL.md b/skills/code-review/SKILL.md index 1002ee7..8ac76ae 100644 --- a/skills/code-review/SKILL.md +++ b/skills/code-review/SKILL.md @@ -15,7 +15,7 @@ description: Use for PR expectations, review checklist, docs/changelog, and secu ### Branch and ownership -- Merges into **`master`** are expected from **`staging`** only (see [`check-branch.yml`](../../.github/workflows/check-branch.yml)). Align your PR base/head with team process. +- Align PRs with the direct release flow **`development` -> `master`** (no `staging` gate in the release path). - [`CODEOWNERS`](../../CODEOWNERS) may request reviews from **`@contentstack/devex-pr-reviewers`** and security admins for workflow or `.snyk` changes. ### Checklist diff --git a/skills/dev-workflow/SKILL.md b/skills/dev-workflow/SKILL.md index 98a9d59..8a4c034 100644 --- a/skills/dev-workflow/SKILL.md +++ b/skills/dev-workflow/SKILL.md @@ -15,7 +15,8 @@ description: Use for branches, build/pack, test scripts, CI workflows, versionin ### Branching and merges -- [`.github/workflows/check-branch.yml`](../../.github/workflows/check-branch.yml) runs on **pull requests**. If the base branch is **`master`** and the head branch is **not** **`staging`**, the job fails and [thollander/actions-comment-pull-request](https://github.com/thollander/actions-comment-pull-request) posts an explanatory comment. To merge into `master`, open a PR **from `staging`** (per current org policy). +- Release flow is direct **`development` -> `master`** (no `staging` promotion step). +- [`.github/workflows/back-merge-pr.yml`](../../.github/workflows/back-merge-pr.yml) opens an automated PR from `master` back to `development` after changes land on `master`. ### Versioning @@ -40,7 +41,7 @@ description: Use for branches, build/pack, test scripts, CI workflows, versionin | Workflow | Purpose | |----------|---------| | `unit-test.yml` | Windows unit tests via `run-unit-test-case.sh`. | -| `check-branch.yml` | Enforce `staging` → `master` for PRs. | +| `back-merge-pr.yml` | Auto-open `master` → `development` back-merge PRs. | | `nuget-publish.yml` | Pack and push on release. | | `sca-scan.yml` | `dotnet restore` + **Snyk** `snyk test` in `Contentstack.Utils` (needs `SNYK_TOKEN`). | | `policy-scan.yml` | For **public** repos: `SECURITY.md` and license file with current calendar year. |