Skip to content

fix: process.env treated as unsafe in ignores #4281

New issue
New issue
Closed
#4314
Closed
fix: process.env treated as unsafe in ignores#4281
#4314
Labels
bug
@SpenserJ

Description

@SpenserJ
SpenserJ
opened on Feb 13, 2025

Steps to Reproduce

1. Globally install `@commitlint/cli@v19.7.1` (or local install and changing step 3)
2. Configure commitlint to conditionally allow a message based on an environment variable
  * Example: Disallow `wip` prefixed messages when running in CI with `commit => !process.env.CI && /^wip\b/.test(commit)`
3. Run `echo "wip: test" | commitlint`
4. Run `echo "wip: test" | CI=1 commitlint`

Current Behavior

Error of Ignore function contains forbidden pattern: process is thrown

file:///.../node_modules/@commitlint/cli/lib/cli.js:132
        throw err;
        ^

Error: Ignore function contains forbidden pattern: process.
    at validateIgnoreFunction (file:///.../node_modules/@commitlint/is-ignored/lib/validate-ignore-func.js:8:15)
    at Array.forEach (<anonymous>)
    at isIgnored (file:///.../node_modules/@commitlint/is-ignored/lib/is-ignored.js:9:13)
    at lint (file:///.../node_modules/@commitlint/lint/lib/lint.js:13:9)
    at file:///.../node_modules/@commitlint/cli/lib/cli.js:238:65
    at Array.map (<anonymous>)
    at main (file:///.../node_modules/@commitlint/cli/lib/cli.js:238:48)

Node.js v18.17.1

Expected Behavior

Commitlint should block dangerous process calls, but should not prevent accessing process.env.*

  • echo "wip: test" | commitlint - Should succeed (no CI environment set)
  • echo "wip: test" | CI=1 commitlint (CI environment blocks wip commits)

Affected packages

  • cli
  • core
  • prompt
  • config-angular

Possible Solution

This was caused by #4258, and likely involves modifying https://github.com/conventional-changelog/commitlint/blob/v19.7.1/%40commitlint/is-ignored/src/validate-ignore-func.ts to either have a tighter scope for what dangerousPattern matches, or a check to allow process.env.

Potential solution using negative lookahead patterns:

/(?:process(?!\.env)|require|import|eval|fetch|XMLHttpRequest|fs|child_process)(?:\s*\.|\s*\()|(?:exec|execFile|spawn)\s*\(/

Context

Our team runs various checks like ESLint, Prettier, and commitlint locally through lint-staged and in CI. We permit making wip: ... commits in a local environment, but we have a CI check that prevents a PR from being merged until the commit is finalized (the message is updated). We use an ignores function that checks for process.env.CI (set by GitHub CI) to fail messages in PRs

commitlint --version

@commitlint/cli@19.7.1

git --version

v2.44.0

node --version

v18.17.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions