Skip to content

Surface invalid delegation path patterns and match OS-independently#753

Open
arpitjain099 wants to merge 1 commit into
theupdateframework:masterfrom
arpitjain099:chore/pathpattern-error
Open

Surface invalid delegation path patterns and match OS-independently#753
arpitjain099 wants to merge 1 commit into
theupdateframework:masterfrom
arpitjain099:chore/pathpattern-error

Conversation

@arpitjain099

Copy link
Copy Markdown

As a supply-chain-security researcher I was looking at delegation path matching and hit the fragility flagged in #747. isTargetInPathPattern was throwing away the error from filepath.Match, so a malformed pattern like an unterminated character class (targets/[) got silently treated as a plain non-match, and a caller couldn't tell "this pattern doesn't match" apart from "this pattern is invalid". It also used filepath.Match, whose separator handling depends on the host OS, even though TUF target paths are always /-separated.

This switches to path.Match (always /-separated, \ as a glob escape) and propagates the error up through IsDelegatedPath, which already returns (bool, error). I kept the change scoped to metadata.go; the sibling multirepo.go code already captures and returns that error.

I verified it by adding a regression test: on the current code the malformed-pattern case returns err == nil, and after the fix it returns path.ErrBadPattern, while the existing spec-derived path cases still pass (go test ./metadata -run TestIsDelegatedPath -count=1). Thanks for taking a look.

isTargetInPathPattern discarded the error from filepath.Match, so a
malformed delegation path pattern (like an unterminated character class
"targets/[") was silently treated as a non-match. Callers could not tell
"does not match" apart from "invalid pattern". It also used filepath.Match,
whose separator handling is OS-dependent, while TUF target paths are always
"/"-separated. Switch to path.Match, propagate the error through
IsDelegatedPath, and add a regression test. Refs theupdateframework#747.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099
arpitjain099 requested a review from a team as a code owner July 8, 2026 00:08
Copilot AI review requested due to automatic review settings July 8, 2026 00:08

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens delegation path-pattern matching in metadata by making matching OS-independent and by surfacing malformed glob patterns instead of silently treating them as non-matches.

Changes:

  • Switch delegation path segment matching from filepath.Match to path.Match to ensure /-based behavior regardless of host OS.
  • Propagate path.Match errors from isTargetInPathPattern up through DelegatedRole.IsDelegatedPath.
  • Add a regression test that asserts malformed patterns return path.ErrBadPattern.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
metadata/metadata.go Uses path.Match and propagates bad-pattern errors from delegated path matching.
metadata/metadata_test.go Adds a regression test for malformed delegation patterns returning path.ErrBadPattern.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread metadata/metadata.go
Comment on lines 580 to 584
targetParts := strings.Split(targetpath, "/")
patternParts := strings.Split(pathpattern, "/")
if len(targetParts) != len(patternParts) {
return false
return false, nil
}
Comment thread metadata/metadata.go
func isTargetInPathPattern(targetpath string, pathpattern string) bool {
func isTargetInPathPattern(targetpath string, pathpattern string) (bool, error) {
// We need to make sure that targetpath and pathpattern are pointing to
// the same directory as fnmatch doesn't threat "/" as a special symbol.
Comment thread metadata/metadata.go
Comment on lines +556 to +559
matched, err := isTargetInPathPattern(targetFilepath, pathPattern)
if err != nil {
return false, err
}
@kommendorkapten

Copy link
Copy Markdown
Member

Thank you for the PR. Maintainer availability is lower now during summer time, but a first skim this looks solid, but need to test this out more first, so will review may drag a few weeks.

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.87%. Comparing base (14cf073) to head (ac2ff9d).
⚠️ Report is 77 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #753      +/-   ##
==========================================
- Coverage   70.51%   67.87%   -2.65%     
==========================================
  Files          10       10              
  Lines        2123     1852     -271     
==========================================
- Hits         1497     1257     -240     
+ Misses        505      470      -35     
- Partials      121      125       +4     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

4 participants