Severity
Medium — silently disables review cache on affected runners.
Affects
push-review-core.sh line 1001. Confirmed on 0.9.2.
Current behavior
PUSH_SHA=$(printf '%s' "$DIFF_FULL" | shasum -a 256 | cut -d' ' -f1 2>/dev/null || echo "")
Problems:
shasum is not universally available. Debian/Ubuntu ship it via perl; Alpine and most distroless images do not. On those runners the first pipeline stage fails and PUSH_SHA becomes empty.2>/dev/null is on cut, not the pipeline. Errors from shasum are still emitted to stderr. The || only fires when cut errors, not when shasum errors — but with pipefail unset (it is unset in this function scope), the pipeline exit code reflects the LAST command (cut), which succeeds on empty input.- Silent empty PUSH_SHA — when this happens, the cache-check branch at line 1035 (
if [[ -n "$PUSH_SHA" ]] ...) is skipped. The gate falls through to the "review required" path on every push. Not a security regression (still fails closed), but it silently disables the review cache on affected runners and there is no signal to the user that the cache is broken.
Expected behavior
Portable hash computation that works on any POSIX environment, with a loud error when no hasher is available.
Suggested fix
Try hashers in a portable order, fail loudly if none work:
_hash_sha256() {
if command -v shasum >/dev/null 2>&1; then
shasum -a 256
elif command -v sha256sum >/dev/null 2>&1; then
sha256sum
elif command -v openssl >/dev/null 2>&1; then
openssl dgst -sha256 -r
else
printf 'PUSH BLOCKED: no SHA-256 hasher available (shasum / sha256sum / openssl)\n' >&2
return 127
fi
}
local PUSH_SHA PUSH_SHA_STATUS
PUSH_SHA=$(printf '%s' "$DIFF_FULL" | _hash_sha256 | cut -d' ' -f1)
PUSH_SHA_STATUS=$?
if [[ "$PUSH_SHA_STATUS" -ne 0 || -z "$PUSH_SHA" ]]; then
printf 'PUSH BLOCKED: hash computation failed (exit %s)\n' "$PUSH_SHA_STATUS" >&2
exit 2
fiCredit
Flagged by CodeRabbit on consumer PR (HELiX #1506, round 3).
Milestone
0.9.3
Severity
Medium — silently disables review cache on affected runners.
Affects
push-review-core.shline 1001. Confirmed on 0.9.2.Current behavior
PUSH_SHA=$(printf '%s' "$DIFF_FULL" | shasum -a 256 | cut -d' ' -f1 2>/dev/null || echo "")Problems:
shasumis not universally available. Debian/Ubuntu ship it viaperl; Alpine and most distroless images do not. On those runners the first pipeline stage fails andPUSH_SHAbecomes empty.2>/dev/nullis oncut, not the pipeline. Errors fromshasumare still emitted to stderr. The||only fires whencuterrors, not whenshasumerrors — but withpipefailunset (it is unset in this function scope), the pipeline exit code reflects the LAST command (cut), which succeeds on empty input.if [[ -n "$PUSH_SHA" ]] ...) is skipped. The gate falls through to the "review required" path on every push. Not a security regression (still fails closed), but it silently disables the review cache on affected runners and there is no signal to the user that the cache is broken.Expected behavior
Portable hash computation that works on any POSIX environment, with a loud error when no hasher is available.
Suggested fix
Try hashers in a portable order, fail loudly if none work:
Credit
Flagged by CodeRabbit on consumer PR (HELiX #1506, round 3).
Milestone
0.9.3