Validation Hole

We only check whether we can parse policies today:
https://github.com/octo-sts/app/blob/cd949cf4f982ce8c060e178c77adadb316fd89c0/pkg/webhook/webhook.go#L191-L202

... but we don't check properties that aren't structural, such as that the values of permissions are well formed.

I sent a PR with `writ` (no `e`) and this didn't reject it.

	switch repo {
	case ".github":
	if err := yaml.UnmarshalStrict([]byte(raw), &octosts.OrgTrustPolicy{}); err != nil {
	log.Infof("failed to parse org trust policy: %v", err)
	merr = multierror.Append(merr, fmt.Errorf("%s: %w", f, err))
	}

	default:
	if err := yaml.UnmarshalStrict([]byte(raw), &octosts.TrustPolicy{}); err != nil {
	log.Infof("failed to parse trust policy: %v", err)
	merr = multierror.Append(merr, fmt.Errorf("%s: %w", f, err))
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Validation Hole #932

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Validation Hole #932

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions