Skip to content

fix: process.env treated as unsafe in ignores #4281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 4 tasks
SpenserJ opened this issue Feb 13, 2025 · 1 comment · Fixed by #4314
Closed
1 of 4 tasks

fix: process.env treated as unsafe in ignores #4281

SpenserJ opened this issue Feb 13, 2025 · 1 comment · Fixed by #4314
Labels
bug

Comments

@SpenserJ
Copy link

Steps to Reproduce

1. Globally install `@commitlint/[email protected]` (or local install and changing step 3)
2. Configure commitlint to conditionally allow a message based on an environment variable
  * Example: Disallow `wip` prefixed messages when running in CI with `commit => !process.env.CI && /^wip\b/.test(commit)`
3. Run `echo "wip: test" | commitlint`
4. Run `echo "wip: test" | CI=1 commitlint`

Current Behavior

Error of Ignore function contains forbidden pattern: process is thrown

file:///.../node_modules/@commitlint/cli/lib/cli.js:132
        throw err;
        ^

Error: Ignore function contains forbidden pattern: process.
    at validateIgnoreFunction (file:///.../node_modules/@commitlint/is-ignored/lib/validate-ignore-func.js:8:15)
    at Array.forEach (<anonymous>)
    at isIgnored (file:///.../node_modules/@commitlint/is-ignored/lib/is-ignored.js:9:13)
    at lint (file:///.../node_modules/@commitlint/lint/lib/lint.js:13:9)
    at file:///.../node_modules/@commitlint/cli/lib/cli.js:238:65
    at Array.map (<anonymous>)
    at main (file:///.../node_modules/@commitlint/cli/lib/cli.js:238:48)

Node.js v18.17.1

Expected Behavior

Commitlint should block dangerous process calls, but should not prevent accessing process.env.*

  • echo "wip: test" | commitlint - Should succeed (no CI environment set)
  • echo "wip: test" | CI=1 commitlint (CI environment blocks wip commits)

Affected packages

  • cli
  • core
  • prompt
  • config-angular

Possible Solution

This was caused by #4258, and likely involves modifying https://github.com/conventional-changelog/commitlint/blob/v19.7.1/%40commitlint/is-ignored/src/validate-ignore-func.ts to either have a tighter scope for what dangerousPattern matches, or a check to allow process.env.

Potential solution using negative lookahead patterns:

/(?:process(?!\.env)|require|import|eval|fetch|XMLHttpRequest|fs|child_process)(?:\s*\.|\s*\()|(?:exec|execFile|spawn)\s*\(/

Context

Our team runs various checks like ESLint, Prettier, and commitlint locally through lint-staged and in CI. We permit making wip: ... commits in a local environment, but we have a CI check that prevents a PR from being merged until the commit is finalized (the message is updated). We use an ignores function that checks for process.env.CI (set by GitHub CI) to fail messages in PRs

commitlint --version

@commitlint/[email protected]

git --version

v2.44.0

node --version

v18.17.1
@SpenserJ SpenserJ added the bug label Feb 13, 2025
SpenserJ added a commit to SpenserJ/commitlint that referenced this issue Feb 13, 2025
@SpenserJ
fix: allow process.env calls in ignores
b1e38f3 
Fixes conventional-changelog#4281
SpenserJ added a commit to SpenserJ/commitlint that referenced this issue Feb 13, 2025
@SpenserJ
fix: allow process.env in ignores
6bd51e8 
Fixes conventional-changelog#4281
@SpenserJ SpenserJ mentioned this issue Feb 13, 2025
Closed
7 tasks
@escapedcat escapedcat mentioned this issue Mar 7, 2025
Merged
@escapedcat
Copy link
Member

Needs a release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
2 participants
@SpenserJ @escapedcat