Add sub_packages validation to validate() #9
Description
Overview
File: lib/src/cli/utils/workflow_generator.dart lines 172-213
`validate()` checks `dart_sdk`, `features`, `secrets`, `pat`, `line_length`, and `platforms` but completely ignores `sub_packages`.
Bug 1: Type validation missing
`"sub_packages": "not_a_list"` passes validation but `_buildContext()` crashes with TypeError on `as List?` cast.
Bug 2: Value sanitization missing
`sub_packages` name and path values are rendered unescaped with `htmlEscapeValues: false` into the template. A name containing `:` or `#` produces invalid YAML. A path with `..` could enable directory traversal.
Fix
Add to `validate()`:
final subPkgs = ciConfig['sub_packages'];
if (subPkgs != null && subPkgs is! List) {
errors.add('ci.sub_packages must be an array, got \${subPkgs.runtimeType}');
} else if (subPkgs is List) {
for (final sp in subPkgs) {
if (sp is Map<String, dynamic>) {
final name = sp['name'];
if (name is String && RegExp(r'[:#\n\r]').hasMatch(name)) {
errors.add('sub_packages name "\$name" contains invalid YAML characters');
}
final path = sp['path'];
if (path is String && path.contains('..')) {
errors.add('sub_packages path "\$path" must not contain ".." traversal');
}
}
}
}Acceptance Criteria
- `sub_packages` type validated (must be List if present)
- Name validated for YAML-unsafe characters
- Path validated against directory traversal
- Tests added