Skip to content

fix(flow-php/telemetry): harden GitDetector against hostile repositories#2474

Merged
norberttech merged 1 commit into
1.xfrom
git-detector-hardening
Jun 22, 2026
Merged

fix(flow-php/telemetry): harden GitDetector against hostile repositories#2474
norberttech merged 1 commit into
1.xfrom
git-detector-hardening

Conversation

@norberttech

@norberttech norberttech commented Jun 22, 2026

Copy link
Copy Markdown
Member

Change Log

Added

Fixed

Changed

  • flow-php/telemetry - GitDetector reads git via a non-blocking, timeout-bounded subprocess.
  • flow-php/phpunit-telemetry-bridge - resource detectors are now wired explicitly through resource_detector().

Removed

Deprecated

Security

  • flow-php/telemetry - GitDetector kills hanging git commands and caps output to resist hostile repositories.
  • flow-php/telemetry - remote URL sanitizer now strips query and fragment so embedded tokens are never reported.

@norberttech
fix(flow-php/telemetry): harden GitDetector against hostile repositories
5636372 
- bound git subprocess with a timeout, GIT_TERMINAL_PROMPT=0 and a
stdout cap
- strip query and fragment from remote URLs alongside credentials
- extract git test fixture into GitContext + GitTestCase
- wire explicit detectors in phpunit telemetry factory
@norberttech norberttech added this to the 0.41.0 milestone Jun 22, 2026
@codecov

codecov Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 90.38462% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.18%. Comparing base (1a6e3ae) to head (5636372).
⚠️ Report is 1 commits behind head on 1.x.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@             Coverage Diff              @@
##                1.x    #2474      +/-   ##
============================================
- Coverage     85.18%   85.18%   -0.01%     
- Complexity    21395    21408      +13     
============================================
  Files          1620     1620              
  Lines         66049    66083      +34     
============================================
+ Hits          56263    56291      +28     
- Misses         9786     9792       +6
Components Coverage Δ
etl 88.43% <ø> (ø)
cli 89.40% <ø> (ø)
lib-array-dot 81.44% <ø> (ø)
lib-azure-sdk 64.44% <ø> (ø)
lib-doctrine-dbal-bulk 93.61% <ø> (ø)
lib-filesystem 85.03% <ø> (ø)
lib-types 90.06% <ø> (ø)
lib-parquet 70.10% <ø> (ø)
lib-parquet-viewer 82.26% <ø> (ø)
lib-snappy 89.38% <ø> (-0.45%) ⬇️
lib-dremel 0.00% <ø> (ø)
lib-postgresql 88.59% <ø> (ø)
lib-telemetry 86.12% <88.63%> (-0.04%) ⬇️
bridge-filesystem-async-aws 92.74% <ø> (ø)
bridge-filesystem-azure 90.45% <ø> (ø)
bridge-monolog-http 96.82% <ø> (ø)
bridge-monolog-telemetry 94.11% <ø> (ø)
bridge-openapi-specification 92.07% <ø> (ø)
symfony-http-foundation 78.57% <ø> (ø)
bridge-psr18-telemetry 100.00% <ø> (ø)
bridge-psr3-telemetry 97.84% <ø> (ø)
bridge-psr7-telemetry 100.00% <ø> (ø)
bridge-telemetry-otlp 89.90% <ø> (ø)
bridge-symfony-http-foundation-telemetry 89.47% <ø> (ø)
bridge-symfony-filesystem-bundle 90.66% <ø> (ø)
bridge-symfony-filesystem-cache 98.14% <ø> (ø)
bridge-symfony-postgresql-bundle 93.83% <ø> (ø)
bridge-symfony-postgresql-cache 94.41% <ø> (ø)
bridge-symfony-postgresql-messenger 98.80% <ø> (ø)
bridge-symfony-postgresql-session 93.65% <ø> (ø)
bridge-symfony-telemetry-bundle 81.83% <ø> (ø)
adapter-chartjs 84.05% <ø> (ø)
adapter-csv 91.16% <ø> (ø)
adapter-doctrine 90.79% <ø> (ø)
adapter-google-sheet 99.18% <ø> (ø)
adapter-http 72.34% <ø> (ø)
adapter-json 88.63% <ø> (ø)
adapter-logger 50.00% <ø> (ø)
adapter-parquet 77.70% <ø> (ø)
adapter-text 74.13% <ø> (ø)
adapter-xml 83.40% <ø> (ø)
adapter-avro 0.00% <ø> (ø)
adapter-excel 94.21% <ø> (ø)
adapter-postgresql 91.06% <ø> (ø)
adapter-seal 85.42% <ø> (ø)
bridge-phpunit-postgresql 75.30% <ø> (ø)
bridge-phpunit-telemetry 80.29% <100.00%> (+0.17%) ⬆️
bridge-phpstan-types 0.00% <ø> (ø)
bridge-postgresql-valinor 100.00% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@norberttech norberttech merged commit 9d97ff4 into 1.x Jun 22, 2026
38 checks passed
@norberttech norberttech deleted the git-detector-hardening branch June 22, 2026 09:46
@github-project-automation github-project-automation Bot moved this from Todo to Done in Roadmap Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: M

Projects

Roadmap
Status: Done

Milestone

0.41.0

Development

Successfully merging this pull request may close these issues.

1 participant

@norberttech