Skip to content

fix: address unresolved review comments on apm pack/unpack#219

Merged
danielmeppiel merged 2 commits intofeat/pack-unpackfrom
copilot/sub-pr-218
Mar 9, 2026
Merged

fix: address unresolved review comments on apm pack/unpack#219
danielmeppiel merged 2 commits intofeat/pack-unpackfrom
copilot/sub-pr-218

Conversation

Copy link
Contributor

Copilot AI commented Mar 9, 2026
edited
Loading

Addresses all unresolved review comments from the apm pack/apm unpack PR.

Security

Path traversal protection (packer.py, unpacker.py)

  • Validate every deployed_files entry before reading/writing: reject .. components, absolute paths, and any path that resolves outside project_root / output_dir via Path.is_relative_to()
  • Malicious or corrupted lockfiles with entries like .github/../../../etc/passwd are now rejected with a clear ValueError

Bug fixes

unpacker.py

  • tarfile.extractall(filter="data") is Python 3.12+ only; gated behind sys.version_info >= (3, 12) with fallback to manual member checks (already present) for 3.9–3.11
  • UnpackResult.extracted_dir was returning a deleted temp directory in archive mode — now returns the original bundle_path
  • Lockfile error messaging: distinguishes "not found" (missing file) from "could not be parsed" (corrupt YAML) by checking lockfile_path.exists() first

Maintenance

  • Move from apm_cli.commands.pack import ... from mid-file (line 313) to the top-level import block in cli.py
  • Remove unused yaml / UnpackResult imports from test_unpacker.py and test_pack_unpack_e2e.py
  • Add apm pack and apm unpack reference sections to docs/cli-reference.md

Type of change

  • Bug fix
  • New feature
  • Documentation
  • Maintenance / refactor

Testing

  • Tested locally
  • All existing tests pass
  • Added tests for new functionality (if applicable)

4 new path-traversal unit tests added (2 packer, 2 unpacker). Full suite: 1387 passed.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Mar 9, 2026
Merged
@danielmeppiel
fix: address unresolved PR review comments on pack/unpack
f5ba7b7 
Co-authored-by: danielmeppiel <51440732+danielmeppiel@users.noreply.github.com>
Copilot AI changed the title [WIP] Add apm pack and unpack commands fix: address unresolved review comments on apm pack/unpack Mar 9, 2026
@danielmeppiel danielmeppiel marked this pull request as ready for review March 9, 2026 23:31
@danielmeppiel danielmeppiel self-requested a review as a code owner March 9, 2026 23:31
@danielmeppiel danielmeppiel merged commit 479f6e8 into feat/pack-unpack Mar 9, 2026
1 check passed
@danielmeppiel danielmeppiel deleted the copilot/sub-pr-218 branch March 9, 2026 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielmeppiel danielmeppiel Awaiting requested review from danielmeppiel

Assignees

@danielmeppiel danielmeppiel

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielmeppiel