Append / to end of registries url

Avoids a bug in 2.10.4. Also, add some better handling for invalid
registries blocks.

Author: aeisenberg

CHANGELOG.md

@@ -42,7 +42,7 @@ No user facing changes.
 ## 2.1.15 - 28 Jun 2022
 
 - CodeQL query packs listed in the `packs` configuration field will be skipped if their target language is not being analyzed in the current Actions job. Previously, this would throw an error. [#1116](https://github.com/github/codeql-action/pull/1116)
-- The combination of python2 and poetry is no longer supported. See https://github.com/actions/setup-python/issues/374 for more details. [#1124](https://github.com/github/codeql-action/pull/1124)
+- The combination of python2 and poetry is no longer supported. See <https://github.com/actions/setup-python/issues/374> for more details. [#1124](https://github.com/github/codeql-action/pull/1124)
 - Update default CodeQL bundle version to 2.10.0. [#1123](https://github.com/github/codeql-action/pull/1123)
 
 ## 2.1.14 - 22 Jun 2022

lib/config-utils.js

@@ -2277,17 +2277,25 @@ test("downloadPacks-with-registries", async (t) => {
 
     const registries = [
       {
+        // no slash
         url: "http://ghcr.io",
         packages: ["codeql/*", "dsp-testing/*"],
         token: "not-a-token",
       },
       {
+        // with slash
         url: "https://containers.GHEHOSTNAME1/v2/",
         packages: "semmle/*",
         token: "still-not-a-token",
       },
     ];
 
+    // append a slash to the first url
+    const expectedRegistries = registries.map((r, i) => ({
+      packages: r.packages,
+      url: i === 0 ? `${r.url}/` : r.url,
+    }));
+
     const expectedConfigFile = path.join(tmpDir, "qlconfig.yml");
     const packDownloadStub = sinon.stub();
     packDownloadStub.callsFake((packs, configFile) => {
@@ -2303,10 +2311,7 @@ test("downloadPacks-with-registries", async (t) => {
       const config = yaml.load(fs.readFileSync(configFile, "utf8")) as {
         registries: configUtils.RegistryConfigNoCredentials[];
       };
-      t.deepEqual(
-        config.registries,
-        registries.map((r) => ({ url: r.url, packages: r.packages }))
-      );
+      t.deepEqual(config.registries, expectedRegistries);
       return {
         packs,
       };
@@ -2375,24 +2380,61 @@ test("downloadPacks-with-registries fails on 2.10.3", async (t) => {
       getVersion: () => Promise.resolve("2.10.3"),
     });
     await t.throwsAsync(
-      async () =>
-        // packs are supplied for go, java, and python
-        // analyzed languages are java, javascript, and python
-        {
-          /* packs are supplied for go, java, and python*/
-          /* analyzed languages are java, javascript, and python*/
-          return await configUtils.downloadPacks(
-            codeQL,
-            [Language.javascript, Language.java, Language.python],
-            {},
-            registries,
-            sampleApiDetails,
-            tmpDir,
-            logger
-          );
-        },
+      async () => {
+        return await configUtils.downloadPacks(
+          codeQL,
+          [Language.javascript, Language.java, Language.python],
+          {},
+          registries,
+          sampleApiDetails,
+          tmpDir,
+          logger
+        );
+      },
+      { instanceOf: Error },
+      "'registries' input is not supported on CodeQL versions less than 2.10.4."
+    );
+  });
+});
+
+test("downloadPacks-with-registries fails with invalid registries block", async (t) => {
+  // same thing, but this time include a registries block and
+  // associated env vars
+  return await util.withTmpDir(async (tmpDir) => {
+    process.env.GITHUB_TOKEN = "not-a-token";
+    process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+    const logger = getRunnerLogger(true);
+
+    const registries = [
+      {
+        // missing url property
+        packages: ["codeql/*", "dsp-testing/*"],
+        token: "not-a-token",
+      },
+      {
+        url: "https://containers.GHEHOSTNAME1/v2/",
+        packages: "semmle/*",
+        token: "still-not-a-token",
+      },
+    ];
+
+    const codeQL = setCodeQL({
+      getVersion: () => Promise.resolve("2.10.4"),
+    });
+    await t.throwsAsync(
+      async () => {
+        return await configUtils.downloadPacks(
+          codeQL,
+          [Language.javascript, Language.java, Language.python],
+          {},
+          registries as any,
+          sampleApiDetails,
+          tmpDir,
+          logger
+        );
+      },
       { instanceOf: Error },
-      "'registries' input is not supported on CodeQL versions less than 2.10.5."
+      "Invalid 'registries' input. Must be an array of objects with 'url' and 'packages' properties."
     );
   });
 });

lib/config-utils.js.map

@@ -1900,9 +1900,19 @@ export async function downloadPacks(
 function createRegistriesBlock(registries: RegistryConfigWithCredentials[]): {
   registries: RegistryConfigNoCredentials[];
 } {
+  if (
+    !Array.isArray(registries) ||
+    registries.some((r) => !r.url || !r.packages)
+  ) {
+    throw new Error(
+      "Invalid 'registries' input. Must be an array of objects with 'url' and 'packages' properties."
+    );
+  }
+
   // be sure to remove the `token` field from the registry before writing it to disk.
   const safeRegistries = registries.map((registry) => ({
-    url: registry.url,
+    // ensure the url ends with a slash to avoid a bug in the CLI 2.10.4
+    url: !registry?.url.endsWith("/") ? `${registry.url}/` : registry.url,
     packages: registry.packages,
   }));
   const qlconfig = {