Software engineer / SRE. Holder of excessive throw-away repositories and projects. He / they.
Old projects on https://github.com/nilium.
Comment by ~nilium on ~nilium/nilium
~nilium unassigned ~nilium from #1 on ~nilium/tools
Comment by ~nilium on ~nilium/tools
Fixed in 98a99f50db86c021f39554bacdfa61474411781a.
~nilium assigned ~nilium to #1 on ~nilium/tools
sql added by ~nilium on ~nilium/tools
Ticket created by ~nilium on ~nilium/tools
Queries cannot be loaded from files in the latest version of sql. This is likely due to a bug in how the parameter parsing was refactored to support concrete types and arrays, so the query parameter is no longer being passed through the file reading function.
Ticket created by ~nilium on ~nilium/ghaccountsd
To avoid the case where someone modifies a cached item, there should be some way to either sign or encrypt (or both) cache data, and report when a cached item has been knowingly tampered with. Without this, it's possible to modify a cached item and insert, for example, an SSH key into a user record or fabricate an entire user.
It may be necessary to apply this broadly to memory caches as well as disk and memcache caches, but by the time someone is tampering with the memory cache, it's likely that they also have all the components needed to either fabricate realistic cache items or to simply point a ghaccountsd instance to a different token, organization, and team. So, memory caches aren't my main concern right now.
Ticket created by ~nilium on ~sircmpwn/sr.ht
If you add a respository without a description (i.e., a request to
nulldescription field), this results in an 500 internal server error response. I'm not sure yet about what is returned via the API (if one exists), so this is partly through the sr.ht UI.
Not sure if this belongs under hub.sr.ht at the moment. Project creation happens on sr.ht itself, so wasn't clear on that.
This can be reproduced with the following:
Create a repository via the API without a description (just don't pass the field, it'll default to null instead of an empty string).[^1]
When checking the repository via the API, its description should be
Create a project (e.g., on https://sr.ht).
Add the new repository to the project.
That should reproduce the error. I haven't dug around in the code or tried to run it myself yet, so unfortunately don't have much detail on this. Hopefully it's reproducible -- if not, I'll see if I can narrow it down further.
I also haven't tested to see if this applies to hg repositories.
Edit: Workaround for anyone encountering this, by the way, is to add a description to the repository (even if it's just an empty string).
[^1]: This also results in "None" showing in the UI when you edit the description, which might need to be a separate ticket if that's not intended.