From 44dd000c53894bb3476789b840563fe2813455e0 Mon Sep 17 00:00:00 2001 From: xiaoxing0135 <706015750@qq.com> Date: Fri, 5 Jun 2026 03:13:52 +0800 Subject: [PATCH 1/2] fix: disable Git LFS to prevent errors on machines without git-lfs --- .gitattributes | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitattributes b/.gitattributes index e18bdbe..bf0808a 100644 --- a/.gitattributes +++ b/.gitattributes @@ -44,8 +44,9 @@ LICENSE text eol=lf *.dmg binary *.jmx binary *.har binary -*.png filter=lfs diff=lfs merge=lfs -text -*.jpg filter=lfs diff=lfs merge=lfs -text +# LFS disabled — git-lfs not installed on all dev machines +# *.png filter=lfs diff=lfs merge=lfs -text +# *.jpg filter=lfs diff=lfs merge=lfs -text # linguist(GitHub 语言识别) 05-代码示例/* linguist-language=Python From 632234994f74b0bfe4c9fbd3ed7b21c1aa71970c Mon Sep 17 00:00:00 2001 From: xiaoxing0135 <706015750@qq.com> Date: Fri, 5 Jun 2026 03:20:57 +0800 Subject: [PATCH 2/2] fix: address code review + security review findings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - HIGH: fix parents[2] → parents[3] in test_coordinator.py (file is 4 levels deep, project root is parents[3]) - MEDIUM: fix parser.py ValueError not checking failure count - MEDIUM: add path traversal guard for target parameter - LOW: add *.har to .gitignore (may contain credentials) --- .gitignore | 3 +++ runtime/orchestrator/metrics/parser.py | 2 +- runtime/orchestrator/workflows/test_coordinator.py | 11 ++++++++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 55ec9d1..960a981 100644 --- a/.gitignore +++ b/.gitignore @@ -200,3 +200,6 @@ archive/ # ===== runtime 运行时产物(用户数据,不入仓)===== runtime/workspace/ runtime/web/tsconfig.tsbuildinfo + +# ===== 安全:可能含敏感数据的文件 ===== +*.har diff --git a/runtime/orchestrator/metrics/parser.py b/runtime/orchestrator/metrics/parser.py index 5a6dbad..ee76c4e 100644 --- a/runtime/orchestrator/metrics/parser.py +++ b/runtime/orchestrator/metrics/parser.py @@ -61,7 +61,7 @@ def parse_jmeter_jtl(csv_text: str) -> dict[str, Any]: try: elapsed_values.append(int(fields[elapsed_idx])) except ValueError: - continue + pass # corrupt elapsed, still check success below if fields[success_idx].strip().lower() != "true": failures += 1 diff --git a/runtime/orchestrator/workflows/test_coordinator.py b/runtime/orchestrator/workflows/test_coordinator.py index 0138366..8db930d 100644 --- a/runtime/orchestrator/workflows/test_coordinator.py +++ b/runtime/orchestrator/workflows/test_coordinator.py @@ -22,7 +22,7 @@ ) # Paths relative to project root -_PROJECT_ROOT = Path(__file__).resolve().parents[2] +_PROJECT_ROOT = Path(__file__).resolve().parents[3] _WORKSPACE = _PROJECT_ROOT / "workspace" @@ -74,6 +74,15 @@ def run(self, target: str) -> PipelineResult: console.print(f"Target: {target[:100]}{'...' if len(target) > 100 else ''}") console.print() + # Validate target path (prevent traversal) + if target and not target.startswith(("http://", "https://")): + resolved = Path(target).resolve() + if not str(resolved).startswith(str(_PROJECT_ROOT.resolve())): + result.ok = False + result.aborted_at = "preflight" + result.summary = f"Target outside workspace: {target}" + return result + # Phase 0: Pre-flight missing = self._preflight() if missing: