Skip to content

fix(corroborate): escape boot() error + fail-closed meta schema gate#1500

Merged
njhensley merged 2 commits into
NVIDIA:mainfrom
njhensley:fix/corroborate-review-followups
Jun 26, 2026
Merged

fix(corroborate): escape boot() error + fail-closed meta schema gate#1500
njhensley merged 2 commits into
NVIDIA:mainfrom
njhensley:fix/corroborate-review-followups

Conversation

@njhensley

Copy link
Copy Markdown
Member

Summary

Two post-merge review follow-ups from #1483: escape the one unescaped error string in the dashboard renderer, and make the meta.json schema-version gate fail closed on an incompatible major (symmetric with the allowlist loader).

Motivation / Context

#1483 merged with two non-blocking review threads still open. This addresses both.

Fixes: N/A
Related: #1483, #1404

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

Component(s) Affected

  • Other: corroboration dashboard generator (pkg/corroborate)

Implementation Notes

  • Renderer (renderer/index.html): boot()'s catch interpolated err.message into innerHTML unescaped — the one data-adjacent string bypassing the otherwise-universal esc() discipline (some browsers embed a snippet of the offending index.json into SyntaxError messages). CSP (script-src 'self' 'unsafe-inline') blocks execution so it was not exploitable, but it is now wrapped with esc(err.message) to match the series error path.
  • loadRun schema gate: a meta.json schema-version mismatch previously only warned and continued, asymmetric with LoadAllowlist, which fails closed on an unsupported schemaVersion because a future schema may change trust semantics. An incompatible major (e.g. meta/v2 repurposing signer/allowlisted) is now skipped via errSkipRun rather than parsed under v1 assumptions. An empty version stays tolerated by design (GP2 may omit it); a same-major future minor still loads with a warning. New compatibleMetaSchema/schemaMajor helpers carry the logic.

Testing

go test ./pkg/corroborate/... ./tools/corroborate/...
golangci-lint run -c .golangci.yaml ./pkg/corroborate/... ./tools/corroborate/...

All pass; lint reports 0 issues. Added a table test for compatibleMetaSchema and an integration test asserting a meta/v2 run is skipped.

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert

Rollout notes: N/A — behavior change only affects malformed/future-major evidence (skipped instead of mis-parsed) and an error-banner code path.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

Two follow-ups from the NVIDIA#1483 review:

- renderer: boot()'s catch interpolated err.message into innerHTML unescaped,
  the one data-adjacent string bypassing the universal esc() discipline (CSP
  blocks execution, so not exploitable). Wrap with esc(err.message) to match
  the series error path.
- loadRun: a meta.json schema-version mismatch only warned and continued,
  asymmetric with LoadAllowlist's fail-closed stance. An incompatible major
  (e.g. meta/v2 repurposing a field) is now skipped via errSkipRun so it is not
  parsed under current assumptions; an empty version stays tolerated by design
  and a same-major minor still loads with a warning. Add compatibleMetaSchema/
  schemaMajor with table + integration tests.

Signed-off-by: Nathan Hensley <[email protected]>
@njhensley njhensley requested a review from a team as a code owner June 26, 2026 20:35
@njhensley njhensley added the theme/community Contributor onboarding, docs, and external engagement label Jun 26, 2026
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: f869f44c-c824-428b-b30d-28535f717aaf

📥 Commits

Reviewing files that changed from the base of the PR and between 14e347a and 93c587b.

📒 Files selected for processing (3)
  • pkg/corroborate/generate.go
  • pkg/corroborate/generate_test.go
  • pkg/corroborate/renderer/index.html

📝 Walkthrough

Walkthrough

Adds schema-major compatibility handling for run loading, including helpers that accept empty schema versions and compare only major versions. Runs with incompatible majors now log a warning and are skipped, and tests cover both compatibility cases and the skip behavior. The boot-time error banner now escapes the displayed error message and updates the first line markup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the two main changes: escaping the boot error and making the meta schema gate fail closed.
Description check ✅ Passed The description is directly related to the code changes and accurately explains the renderer and schema-gating updates.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@njhensley njhensley enabled auto-merge (squash) June 26, 2026 20:42

@mchmarny mchmarny left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both follow-ups are correct and well-scoped:

  • esc(err.message) closes the one data-adjacent string bypassing the otherwise-universal escaping discipline — good hardening regardless of the CSP backstop.
  • The schema gate fails closed on an incompatible major and stays symmetric with LoadAllowlist. schemaMajor/compatibleMetaSchema correctly tolerate empty (GP2) and same-major minors while skipping a future major via errSkipRun. Table test + the meta/v2 integration test cover the behavior.

CI green, lint clean. LGTM.

@njhensley njhensley merged commit ab022b2 into NVIDIA:main Jun 26, 2026
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/M theme/community Contributor onboarding, docs, and external engagement

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants