fix: remove naive regex parsing of .gitmodules file (#15)

Author: sgoudham

dist/index.js

@@ -3072,6 +3072,293 @@ function copyFile(srcFile, destFile, force) {
 }
 //# sourceMappingURL=io.js.map
 
+/***/ }),
+
+/***/ 6202:
+/***/ ((module) => {
+
+const { hasOwnProperty } = Object.prototype
+
+const encode = (obj, opt = {}) => {
+  if (typeof opt === 'string') {
+    opt = { section: opt }
+  }
+  opt.align = opt.align === true
+  opt.newline = opt.newline === true
+  opt.sort = opt.sort === true
+  opt.whitespace = opt.whitespace === true || opt.align === true
+  // The `typeof` check is required because accessing the `process` directly fails on browsers.
+  /* istanbul ignore next */
+  opt.platform = opt.platform || (typeof process !== 'undefined' && process.platform)
+  opt.bracketedArray = opt.bracketedArray !== false
+
+  /* istanbul ignore next */
+  const eol = opt.platform === 'win32' ? '\r\n' : '\n'
+  const separator = opt.whitespace ? ' = ' : '='
+  const children = []
+
+  const keys = opt.sort ? Object.keys(obj).sort() : Object.keys(obj)
+
+  let padToChars = 0
+  // If aligning on the separator, then padToChars is determined as follows:
+  // 1. Get the keys
+  // 2. Exclude keys pointing to objects unless the value is null or an array
+  // 3. Add `[]` to array keys
+  // 4. Ensure non empty set of keys
+  // 5. Reduce the set to the longest `safe` key
+  // 6. Get the `safe` length
+  if (opt.align) {
+    padToChars = safe(
+      (
+        keys
+          .filter(k => obj[k] === null || Array.isArray(obj[k]) || typeof obj[k] !== 'object')
+          .map(k => Array.isArray(obj[k]) ? `${k}[]` : k)
+      )
+        .concat([''])
+        .reduce((a, b) => safe(a).length >= safe(b).length ? a : b)
+    ).length
+  }
+
+  let out = ''
+  const arraySuffix = opt.bracketedArray ? '[]' : ''
+
+  for (const k of keys) {
+    const val = obj[k]
+    if (val && Array.isArray(val)) {
+      for (const item of val) {
+        out += safe(`${k}${arraySuffix}`).padEnd(padToChars, ' ') + separator + safe(item) + eol
+      }
+    } else if (val && typeof val === 'object') {
+      children.push(k)
+    } else {
+      out += safe(k).padEnd(padToChars, ' ') + separator + safe(val) + eol
+    }
+  }
+
+  if (opt.section && out.length) {
+    out = '[' + safe(opt.section) + ']' + (opt.newline ? eol + eol : eol) + out
+  }
+
+  for (const k of children) {
+    const nk = splitSections(k, '.').join('\\.')
+    const section = (opt.section ? opt.section + '.' : '') + nk
+    const child = encode(obj[k], {
+      ...opt,
+      section,
+    })
+    if (out.length && child.length) {
+      out += eol
+    }
+
+    out += child
+  }
+
+  return out
+}
+
+function splitSections (str, separator) {
+  var lastMatchIndex = 0
+  var lastSeparatorIndex = 0
+  var nextIndex = 0
+  var sections = []
+
+  do {
+    nextIndex = str.indexOf(separator, lastMatchIndex)
+
+    if (nextIndex !== -1) {
+      lastMatchIndex = nextIndex + separator.length
+
+      if (nextIndex > 0 && str[nextIndex - 1] === '\\') {
+        continue
+      }
+
+      sections.push(str.slice(lastSeparatorIndex, nextIndex))
+      lastSeparatorIndex = nextIndex + separator.length
+    }
+  } while (nextIndex !== -1)
+
+  sections.push(str.slice(lastSeparatorIndex))
+
+  return sections
+}
+
+const decode = (str, opt = {}) => {
+  opt.bracketedArray = opt.bracketedArray !== false
+  const out = Object.create(null)
+  let p = out
+  let section = null
+  //          section          |key      = value
+  const re = /^\[([^\]]*)\]\s*$|^([^=]+)(=(.*))?$/i
+  const lines = str.split(/[\r\n]+/g)
+  const duplicates = {}
+
+  for (const line of lines) {
+    if (!line || line.match(/^\s*[;#]/) || line.match(/^\s*$/)) {
+      continue
+    }
+    const match = line.match(re)
+    if (!match) {
+      continue
+    }
+    if (match[1] !== undefined) {
+      section = unsafe(match[1])
+      if (section === '__proto__') {
+        // not allowed
+        // keep parsing the section, but don't attach it.
+        p = Object.create(null)
+        continue
+      }
+      p = out[section] = out[section] || Object.create(null)
+      continue
+    }
+    const keyRaw = unsafe(match[2])
+    let isArray
+    if (opt.bracketedArray) {
+      isArray = keyRaw.length > 2 && keyRaw.slice(-2) === '[]'
+    } else {
+      duplicates[keyRaw] = (duplicates?.[keyRaw] || 0) + 1
+      isArray = duplicates[keyRaw] > 1
+    }
+    const key = isArray && keyRaw.endsWith('[]')
+      ? keyRaw.slice(0, -2) : keyRaw
+
+    if (key === '__proto__') {
+      continue
+    }
+    const valueRaw = match[3] ? unsafe(match[4]) : true
+    const value = valueRaw === 'true' ||
+      valueRaw === 'false' ||
+      valueRaw === 'null' ? JSON.parse(valueRaw)
+      : valueRaw
+
+    // Convert keys with '[]' suffix to an array
+    if (isArray) {
+      if (!hasOwnProperty.call(p, key)) {
+        p[key] = []
+      } else if (!Array.isArray(p[key])) {
+        p[key] = [p[key]]
+      }
+    }
+
+    // safeguard against resetting a previously defined
+    // array by accidentally forgetting the brackets
+    if (Array.isArray(p[key])) {
+      p[key].push(value)
+    } else {
+      p[key] = value
+    }
+  }
+
+  // {a:{y:1},"a.b":{x:2}} --> {a:{y:1,b:{x:2}}}
+  // use a filter to return the keys that have to be deleted.
+  const remove = []
+  for (const k of Object.keys(out)) {
+    if (!hasOwnProperty.call(out, k) ||
+      typeof out[k] !== 'object' ||
+      Array.isArray(out[k])) {
+      continue
+    }
+
+    // see if the parent section is also an object.
+    // if so, add it to that, and mark this one for deletion
+    const parts = splitSections(k, '.')
+    p = out
+    const l = parts.pop()
+    const nl = l.replace(/\\\./g, '.')
+    for (const part of parts) {
+      if (part === '__proto__') {
+        continue
+      }
+      if (!hasOwnProperty.call(p, part) || typeof p[part] !== 'object') {
+        p[part] = Object.create(null)
+      }
+      p = p[part]
+    }
+    if (p === out && nl === l) {
+      continue
+    }
+
+    p[nl] = out[k]
+    remove.push(k)
+  }
+  for (const del of remove) {
+    delete out[del]
+  }
+
+  return out
+}
+
+const isQuoted = val => {
+  return (val.startsWith('"') && val.endsWith('"')) ||
+    (val.startsWith("'") && val.endsWith("'"))
+}
+
+const safe = val => {
+  if (
+    typeof val !== 'string' ||
+    val.match(/[=\r\n]/) ||
+    val.match(/^\[/) ||
+    (val.length > 1 && isQuoted(val)) ||
+    val !== val.trim()
+  ) {
+    return JSON.stringify(val)
+  }
+  return val.split(';').join('\\;').split('#').join('\\#')
+}
+
+const unsafe = val => {
+  val = (val || '').trim()
+  if (isQuoted(val)) {
+    // remove the single quotes before calling JSON.parse
+    if (val.charAt(0) === "'") {
+      val = val.slice(1, -1)
+    }
+    try {
+      val = JSON.parse(val)
+    } catch {
+      // ignore errors
+    }
+  } else {
+    // walk the val to find the first not-escaped ; character
+    let esc = false
+    let unesc = ''
+    for (let i = 0, l = val.length; i < l; i++) {
+      const c = val.charAt(i)
+      if (esc) {
+        if ('\\;#'.indexOf(c) !== -1) {
+          unesc += c
+        } else {
+          unesc += '\\' + c
+        }
+
+        esc = false
+      } else if (';#'.indexOf(c) !== -1) {
+        break
+      } else if (c === '\\') {
+        esc = true
+      } else {
+        unesc += c
+      }
+    }
+    if (esc) {
+      unesc += '\\'
+    }
+
+    return unesc.trim()
+  }
+  return val
+}
+
+module.exports = {
+  parse: decode,
+  decode,
+  stringify: encode,
+  encode,
+  safe,
+  unsafe,
+}
+
+
 /***/ }),
 
 /***/ 4225:
@@ -30675,7 +30962,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.setDynamicOutputs = exports.updateToLatestTag = exports.updateToLatestCommit = exports.filterSubmodules = exports.parseGitmodules = exports.parseInputs = void 0;
+exports.setDynamicOutputs = exports.updateToLatestTag = exports.updateToLatestCommit = exports.filterSubmodules = exports.parseGitmodules = exports.readFile = exports.parseInputs = void 0;
 exports.run = run;
 const exec_1 = __nccwpck_require__(7775);
 const core = __importStar(__nccwpck_require__(9093));
@@ -30684,11 +30971,16 @@ const logging_1 = __nccwpck_require__(805);
 const markdown_1 = __nccwpck_require__(5094);
 const zod_1 = __nccwpck_require__(8009);
 const git_1 = __nccwpck_require__(3555);
+const ini_1 = __nccwpck_require__(6202);
 const updateStrategy = zod_1.z.enum(["commit", "tag"]);
+const gitmodulesSchema = zod_1.z.record(zod_1.z.string(), zod_1.z.object({
+    path: zod_1.z.string(),
+    url: zod_1.z.string().url(),
+}));
 const parseInputs = () => __awaiter(void 0, void 0, void 0, function* () {
     const gitmodulesPath = core.getInput("gitmodulesPath").trim();
     const inputSubmodules = core.getInput("submodules").trim();
-    const strategy = yield updateStrategy.parseAsync(core.getInput("strategy"));
+    const strategy = yield updateStrategy.parseAsync(core.getInput("strategy").trim());
     // Github Actions doesn't support array inputs, so submodules must be separated by newlines
     const parsedSubmodules = inputSubmodules
         .split("\n")
@@ -30717,10 +31009,14 @@ const readFile = (path) => __awaiter(void 0, void 0, void 0, function* () {
         throw error;
     });
 });
+exports.readFile = readFile;
 const parseGitmodules = (content) => __awaiter(void 0, void 0, void 0, function* () {
-    const gitmodulesRegex = /^\s*\[submodule\s+"([^"]+)"\]\s*\n\s*path\s*=\s*(.+)\s*\n\s*url\s*=\s*(.+)\s*$/gm;
-    const parsedContent = Array.from(content.matchAll(gitmodulesRegex));
-    const detectedSubmodules = yield Promise.all(parsedContent.map((_a) => __awaiter(void 0, [_a], void 0, function* ([_, name, path, url]) {
+    const parsed = (0, ini_1.parse)(content);
+    const gitmodules = yield gitmodulesSchema.parseAsync(parsed);
+    return yield Promise.all(Object.entries(gitmodules).map((_a) => __awaiter(void 0, [_a], void 0, function* ([key, values]) {
+        const name = key.split('"')[1].trim();
+        const path = values.path.replace(/"/g, "").trim();
+        const url = values.url.replace(/"/g, "").trim();
         const [previousCommitSha, previousShortCommitSha] = yield (0, git_1.getCommit)(path);
         const previousTag = yield (0, git_1.getPreviousTag)(path);
         return {
@@ -30736,7 +31032,6 @@ const parseGitmodules = (content) => __awaiter(void 0, void 0, void 0, function*
             previousTag,
         };
     })));
-    return detectedSubmodules;
 });
 exports.parseGitmodules = parseGitmodules;
 const filterSubmodules = (inputSubmodules, detectedSubmodules, strategy) => __awaiter(void 0, void 0, void 0, function* () {
@@ -30823,7 +31118,7 @@ function run() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
             const { gitmodulesPath, inputSubmodules, strategy } = yield (0, exports.parseInputs)();
-            const gitmodulesContent = yield readFile(gitmodulesPath);
+            const gitmodulesContent = yield (0, exports.readFile)(gitmodulesPath);
             if (gitmodulesContent === "") {
                 core.info("No submodules detected.");
                 core.info("Nothing to do. Exiting...");

dist/index.js.map

@@ -81,6 +81,25 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 IN THE SOFTWARE.
 
+ini
+ISC
+The ISC License
+
+Copyright (c) Isaac Z. Schlueter and Contributors
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
 tunnel
 MIT
 The MIT License (MIT)

dist/licenses.txt

@@ -36,10 +36,12 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
+    "ini": "^4.1.3",
     "zod": "^3.23.8"
   },
   "devDependencies": {
     "@tsconfig/recommended": "^1.0.7",
+    "@types/ini": "^4.1.1",
     "@types/node": "^22.2.0",
     "@vercel/ncc": "^0.38.1",
     "@vitest/coverage-v8": "^2.0.5",