Re: [PR] security-pattern checks + fix all violations across skills [airflow-steward]

Sun, 24 May 2026 20:58:07 -0700 


justinmclean commented on code in PR #213:
URL: https://github.com/apache/airflow-steward/pull/213#discussion_r3295979555


##########
tools/skill-validator/src/skill_validator/__init__.py:
##########
@@ -638,6 +658,103 @@ def validate_principle_compliance(path: Path, text: str) 
-> Iterable[Violation]:
         )
 
 
+# ---------------------------------------------------------------------------
+# Security-pattern checks (write-skill/security-checklist.md)
+# ---------------------------------------------------------------------------
+
+
+def _inline_only_code_spans(text: str) -> list[tuple[int, int]]:
+    """Return (start, end) spans for inline backtick code only."""
+    fenced_spans = [m.span() for m in _FENCED_CODE_RE.finditer(text)]
+    return [
+        (start, end)
+        for start, end in _code_spans(text)
+        if not any(fs <= start and end <= fe for fs, fe in fenced_spans)
+    ]
+
+
+def validate_security_patterns(path: Path, text: str) -> Iterable[Violation]:
+    """Check security-pattern conventions from 
``write-skill/security-checklist.md``.
+
+    **Pattern 4** *(SKILL.md only)*: skills whose ``mode`` implies processing
+    external / attacker-controlled content must contain the injection-guard
+    callout phrase near the top of the skill body.
+
+    **Pattern 9** *(all skill .md files)*: ``--body "..."`` / ``--body '...'``
+    passed as an inline shell argument is a shell-injection vector; use
+    ``--body-file <path>`` instead.
+
+    **Patterns 1/2** *(all skill .md files)*: ``-f field='<placeholder>'``
+    and ``-F field=<placeholder>`` pass dynamic values as inline shell
+    arguments; use ``-F field=@/tmp/<file>`` instead.  Static values (no ``<>``
+    placeholder) are not flagged.
+
+    All violations are **SOFT** — advisory, surfaced as warnings without
+    failing the run unless ``--strict`` is passed.
+    """
+    # ------------------------------------------------------------------
+    # Skip paths that intentionally contain "bad pattern" examples
+    # (e.g. the security checklist that documents what NOT to do).
+    # ------------------------------------------------------------------
+    path_str = str(path)
+    if any(skip in path_str for skip in SECURITY_PATTERN_SKIP_PATHS):

Review Comment:
   Windows not supported



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to