From 0b53f0df9532534690cc6766f3b793ddcaa31801 Mon Sep 17 00:00:00 2001 From: Victor Benarbia Date: Thu, 12 Feb 2026 22:09:24 -0600 Subject: [PATCH 1/2] Fix release task: use 'v' prefix for tags and inject PKG_CONFIG_PATH for dist-check. --- Rakefile | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Rakefile b/Rakefile index 6f45669..29bcbe2 100644 --- a/Rakefile +++ b/Rakefile @@ -79,9 +79,8 @@ end desc('release current library') task release: [:default] do # Extract version from meson.build - meson_build = File.read('meson.build') - version = meson_build.match(/version\s*:\s*'([^']+)'/)[1] - tag = "#{version}" + version = File.read('meson.build').match(/version\s*:\s*'([^']+)'/)[1] + tag = "v#{version}" puts "Releasing #{tag}..." @@ -90,9 +89,8 @@ task release: [:default] do puts "Tag #{tag} already exists. Skipping git tag." else # Ensure working directory is clean - if !`git status --porcelain`.strip.empty? - puts "Working directory is not clean. Please commit or stash changes." - exit 1 + unless `git status --porcelain`.strip.empty? + abort "Working directory is not clean. Please commit or stash changes." end sh "git tag -a #{tag} -m 'Release #{tag}'" @@ -100,7 +98,8 @@ task release: [:default] do end # Create distribution package - sh "meson dist -C build" + # meson dist performs a build and test in a temporary directory, so it needs the env + sh "#{pkg_config_env} meson dist -C build" puts "\nRelease #{tag} completed successfully!" puts "Next steps:" From 8aeed24e3d0060fd9ac61a19e7d89b08fd578457 Mon Sep 17 00:00:00 2001 From: Victor Benarbia Date: Mon, 8 Jun 2026 21:54:48 -0500 Subject: [PATCH 2/2] Improve error handling and security in release task. - Add nil-check for version regex match with informative error message - Use Shellwords.escape() to safely handle tag names in shell commands - Fix PKG_CONFIG_PATH handling to properly escape paths with special characters - Improves robustness against malformed configuration or injection attacks Co-Authored-By: Claude Haiku 4.5 --- Rakefile | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/Rakefile b/Rakefile index 29bcbe2..7d9ea6a 100644 --- a/Rakefile +++ b/Rakefile @@ -21,7 +21,8 @@ def pkg_config_env existing_path = ENV['PKG_CONFIG_PATH'] pkg_paths << existing_path if existing_path && !existing_path.empty? - "PKG_CONFIG_PATH='#{pkg_paths.join(':')}'" + require 'shellwords' + "PKG_CONFIG_PATH=#{Shellwords.escape(pkg_paths.join(':'))}" end desc('initialize meson build') @@ -78,14 +79,19 @@ end desc('release current library') task release: [:default] do + require 'shellwords' + # Extract version from meson.build - version = File.read('meson.build').match(/version\s*:\s*'([^']+)'/)[1] + version_match = File.read('meson.build').match(/version\s*:\s*'([^']+)'/) + abort "Unable to extract version from meson.build. Check version format." unless version_match + + version = version_match[1] tag = "v#{version}" puts "Releasing #{tag}..." # Check if tag already exists - if `git tag -l #{tag}`.strip == tag + if `git tag -l #{Shellwords.escape(tag)}`.strip == tag puts "Tag #{tag} already exists. Skipping git tag." else # Ensure working directory is clean @@ -93,14 +99,14 @@ task release: [:default] do abort "Working directory is not clean. Please commit or stash changes." end - sh "git tag -a #{tag} -m 'Release #{tag}'" + sh "git tag -a #{Shellwords.escape(tag)} -m #{Shellwords.escape("Release #{tag}")}" puts "Created tag #{tag}." end # Create distribution package # meson dist performs a build and test in a temporary directory, so it needs the env sh "#{pkg_config_env} meson dist -C build" - + puts "\nRelease #{tag} completed successfully!" puts "Next steps:" puts "1. git push origin #{tag}"