Skip to content

Fix: Handle Trailing Commas and Empty Strings in File Paths #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Fix: Handle Trailing Commas and Empty Strings in File Paths #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ec96941
Fix config parsing to allow trailing commas but prevent empty entries
x612skm Jan 15, 2025
0820752
fix the type check error in the pipeline checks
x612skm Feb 24, 2025
e80c2fa
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions mypy/config_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,9 @@ def split_and_match_files_list(paths: Sequence[str]) -> list[str]:
expanded_paths = []

for path in paths:
if not path:
continue

Comment on lines +112 to +114
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty Path Handling

Silently skipping empty paths may mask configuration errors. This could lead to unexpected behavior where users think files are being checked when they aren't.

Suggested change
if not path:
continue
if not path:
if stderr is not None:
print(f"Warning: Skipping empty path in config", file=stderr)
continue
Standards
  • ISO-IEC-25010-Reliability-Maturity
  • ISO-IEC-25010-Functional-Correctness-Appropriateness
  • SRE-Observability

path = expand_path(path.strip())
Comment on lines +112 to 115
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Path Traversal Risk

The code skips empty paths but still processes paths without validation. Missing path validation before expansion could allow directory traversal attacks if user-controlled input contains '../' sequences. This could potentially access files outside intended directories.

Standards
  • CWE-22
  • OWASP-A01

globbed_files = fileglob.glob(path, recursive=True)
if globbed_files:
Expand Down Expand Up @@ -318,6 +321,23 @@ def parse_config_file(
print(f"{file_read}: No [mypy] section in config file", file=stderr)
else:
section = parser["mypy"]

if "files" in section:
raw_files = section["files"].strip()
files_split = [file.strip() for file in raw_files.split(",")]
Comment on lines +326 to +327
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Path Injection Risk

The code splits file paths on commas without validating path format. Attackers could inject malicious paths containing directory traversal sequences or shell metacharacters.

Suggested change
raw_files = section["files"].strip()
files_split = [file.strip() for file in raw_files.split(",")]
raw_files = section["files"].strip()
files_split = [file.strip() for file in raw_files.split(",")]
# Remove trailing empty entry if present
if files_split and files_split[-1] == "":
files_split.pop()
# Raise an error if there are any remaining empty strings
if "" in files_split:
raise ValueError(
"Invalid config: Empty filenames are not allowed except for trailing commas."
)
# Validate paths to prevent path traversal
for file_path in files_split:
if "../" in file_path or "..\\" in file_path:
raise ValueError(f"Invalid path '{file_path}': Directory traversal not allowed")
options.files = files_split
Standards
  • CWE-22
  • OWASP-A03


# Remove trailing empty entry if present
if files_split and files_split[-1] == "":
files_split.pop()
Comment on lines +329 to +331
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This check removes the trailing empty string, but the subsequent check on line 334 raises an error if any empty strings are present. Consider simplifying this logic to directly raise an error if any empty strings are present after stripping whitespace, as trailing commas are now explicitly allowed.

# Raise an error if there are any empty strings
if any(not file for file in files_split):
    raise ValueError(
        "Invalid config: Empty filenames are not allowed except for trailing commas."
    )


# Raise an error if there are any remaining empty strings
if "" in files_split:
raise ValueError(
"Invalid config: Empty filenames are not allowed except for trailing commas."
)
Comment on lines +335 to +337
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error message could be more informative. Consider including details about why empty filenames are invalid, or suggesting how to correct the configuration (e.g., removing the extra commas).

raise ValueError(
    "Invalid config: Empty filenames are not allowed. Please ensure all file entries are valid."
)

Comment on lines +334 to +337
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linear Search Inefficiency

Linear search for empty strings in files_split has O(n) complexity. For large file lists, this creates unnecessary iteration overhead when validation could be done during initial split.

Suggested change
if "" in files_split:
raise ValueError(
"Invalid config: Empty filenames are not allowed except for trailing commas."
)
files_split = []
for file in raw_files.split(","):
file = file.strip()
if file:
files_split.append(file)
elif file == "" and not (len(files_split) == 0 and raw_files == ""):
raise ValueError(
"Invalid config: Empty filenames are not allowed except for trailing commas."
)
Standards
  • ISO-IEC-25010-Performance-Time-Behaviour
  • Algorithm-Opt-Early-Exit
  • Google-Performance-Best-Practices

Comment on lines +329 to +337
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty String Handling

The code correctly removes trailing empty entries but doesn't handle the case where files_split is empty after removing the trailing entry. This could cause an unnecessary check for empty strings in an empty list, which is logically redundant since the condition will never be true.

Standards
  • Logic-Verification-Control-Flow
  • Algorithm-Correctness-Conditional-Logic


options.files = files_split
Comment on lines +325 to +339
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent Empty Entry Handling

The code handles trailing empty entries differently from empty entries elsewhere in the list. This inconsistency could cause confusion and unexpected behavior when users have empty entries in their configuration files.

Standards
  • ISO-IEC-25010-Reliability-Maturity
  • ISO-IEC-25010-Functional-Correctness-Appropriateness

Comment on lines +325 to +339
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant Empty Check

The empty string check in split_and_match_files_list() is duplicated in parse_config_file(). This creates two places to maintain the same logic. Consider consolidating the empty string validation to avoid future maintenance issues.

Standards
  • Clean-Code-DRY
  • Maintainability-Quality-Coupling


Comment on lines +326 to +340
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent Empty String Handling

The code rejects empty strings in the middle of file lists but accepts them at the end. However, the split_and_match_files_list function silently skips empty paths. This inconsistency creates different behavior between config parsing and direct file list processing.

Suggested change
raw_files = section["files"].strip()
files_split = [file.strip() for file in raw_files.split(",")]
# Remove trailing empty entry if present
if files_split and files_split[-1] == "":
files_split.pop()
# Raise an error if there are any remaining empty strings
if "" in files_split:
raise ValueError(
"Invalid config: Empty filenames are not allowed except for trailing commas."
)
options.files = files_split
if "files" in section:
raw_files = section["files"].strip()
if raw_files:
files_split = [file.strip() for file in raw_files.split(",")]
# Filter out empty entries for consistency with split_and_match_files_list
files_split = [f for f in files_split if f]
options.files = files_split
else:
options.files = []
Standards
  • Logic-Verification-Consistency
  • Business-Rule-Validation-Completeness

prefix = f"{file_read}: [mypy]: "
updates, report_dirs = parse_section(
prefix, options, set_strict_flags, section, config_types, stderr
Expand Down
168 changes: 168 additions & 0 deletions mypy/test/testconfigparser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
import os
import tempfile
from unittest import TestCase, main

from mypy.config_parser import parse_config_file
from mypy.options import Options


class TestConfigParser(TestCase):
def test_parse_config_file_with_single_file(self) -> None:
"""A single file should be correctly parsed."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files = file1.py
"""
)

options = Options()

parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertEqual(options.files, ["file1.py"])

def test_parse_config_file_with_no_spaces(self) -> None:
"""Files listed without spaces should be correctly parsed."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files =file1.py,file2.py,file3.py
"""
)

options = Options()

parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertEqual(options.files, ["file1.py", "file2.py", "file3.py"])

def test_parse_config_file_with_extra_spaces(self) -> None:
"""Files with extra spaces should be correctly parsed."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files = file1.py , file2.py , file3.py
"""
)

options = Options()

parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertEqual(options.files, ["file1.py", "file2.py", "file3.py"])

def test_parse_config_file_with_empty_files_key(self) -> None:
"""An empty files key should result in an empty list."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files =
"""
)

options = Options()

parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertEqual(options.files, [])

def test_parse_config_file_with_only_comma(self) -> None:
"""A files key with only a comma should raise an error."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files = ,
"""
)

options = Options()

with self.assertRaises(ValueError) as cm:
parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertIn("Invalid config", str(cm.exception))

def test_parse_config_file_with_only_whitespace(self) -> None:
"""A files key with only whitespace should result in an empty list."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files =
"""
)

options = Options()

parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertEqual(options.files, [])

def test_parse_config_file_with_mixed_valid_and_invalid_entries(self) -> None:
"""Mix of valid and invalid filenames should raise an error."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files = file1.py, , , file2.py
"""
)

options = Options()

with self.assertRaises(ValueError) as cm:
parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertIn("Invalid config", str(cm.exception))

def test_parse_config_file_with_newlines_between_files(self) -> None:
"""Newlines between file entries should be correctly handled."""
with tempfile.TemporaryDirectory() as tmpdirname:
config_path = os.path.join(tmpdirname, "test_config.ini")

with open(config_path, "w") as f:
f.write(
"""
[mypy]
files = file1.py,
file2.py,
file3.py
"""
)

options = Options()

parse_config_file(options, lambda: None, config_path, stdout=None, stderr=None)

self.assertEqual(options.files, ["file1.py", "file2.py", "file3.py"])


if __name__ == "__main__":
main()