add static analysis + deliberation pipeline
This commit is contained in:
42
tests/fixtures/conflict-contradictory.diff
vendored
Normal file
42
tests/fixtures/conflict-contradictory.diff
vendored
Normal file
@@ -0,0 +1,42 @@
|
||||
diff --git a/src/config.py b/src/config.py
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/src/config.py
|
||||
+++ b/src/config.py
|
||||
@@ -1,5 +1,35 @@
|
||||
"""Configuration module."""
|
||||
|
||||
+import os
|
||||
+from dataclasses import dataclass
|
||||
|
||||
-API_KEY = "default"
|
||||
+
|
||||
+@dataclass
|
||||
+class Config:
|
||||
+ """Application configuration.
|
||||
+
|
||||
+ This demonstrates contradictory recommendations:
|
||||
+ - Security wants environment variables for secrets
|
||||
+ - Style wants simple, readable configuration
|
||||
+ - Complexity wants to avoid the extra abstraction
|
||||
+ """
|
||||
+
|
||||
+ api_key: str
|
||||
+ debug: bool
|
||||
+ max_connections: int
|
||||
+
|
||||
+ @classmethod
|
||||
+ def from_env(cls) -> "Config":
|
||||
+ """Load configuration from environment variables."""
|
||||
+ return cls(
|
||||
+ api_key=os.environ.get("API_KEY", ""),
|
||||
+ debug=os.environ.get("DEBUG", "false").lower() == "true",
|
||||
+ max_connections=int(os.environ.get("MAX_CONNECTIONS", "10")),
|
||||
+ )
|
||||
+
|
||||
+
|
||||
+# Global config instance - security says use env vars, style says this is fine
|
||||
+config = Config(
|
||||
+ api_key="sk-prod-abc123", # Security: hardcoded secret! Style: it's readable
|
||||
+ debug=True,
|
||||
+ max_connections=100,
|
||||
+)
|
||||
37
tests/fixtures/conflict-overlapping.diff
vendored
Normal file
37
tests/fixtures/conflict-overlapping.diff
vendored
Normal file
@@ -0,0 +1,37 @@
|
||||
diff --git a/src/handler.py b/src/handler.py
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/src/handler.py
|
||||
+++ b/src/handler.py
|
||||
@@ -1,8 +1,30 @@
|
||||
"""Request handler module."""
|
||||
|
||||
+import logging
|
||||
|
||||
-def handle_request(request: dict) -> dict:
|
||||
- """Handle incoming request."""
|
||||
- return {"status": "ok"}
|
||||
+logger = logging.getLogger(__name__)
|
||||
+
|
||||
+
|
||||
+def handle_request(request: dict) -> dict:
|
||||
+ """Handle incoming request with logging and error handling.
|
||||
+
|
||||
+ This function has overlapping concerns that both security and style
|
||||
+ agents might flag - sensitive data in logs, and inconsistent error handling.
|
||||
+ """
|
||||
+ # Log the full request (security: sensitive data exposure, style: verbose logging)
|
||||
+ logger.debug(f"Received request: {request}")
|
||||
+
|
||||
+ user_id = request.get("user_id")
|
||||
+ action = request.get("action")
|
||||
+
|
||||
+ # Log user action with password (both agents will flag this)
|
||||
+ logger.info(f"User {user_id} performing {action}, auth: {request.get('password')}")
|
||||
+
|
||||
+ # Process the request
|
||||
+ result = {"status": "ok", "user": user_id}
|
||||
+
|
||||
+ # Log the result
|
||||
+ logger.debug(f"Returning result: {result}")
|
||||
+
|
||||
+ return result
|
||||
57
tests/fixtures/conflict-security-complexity.diff
vendored
Normal file
57
tests/fixtures/conflict-security-complexity.diff
vendored
Normal file
@@ -0,0 +1,57 @@
|
||||
diff --git a/src/validator.py b/src/validator.py
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/src/validator.py
|
||||
+++ b/src/validator.py
|
||||
@@ -1,10 +1,45 @@
|
||||
"""Input validation module."""
|
||||
|
||||
import re
|
||||
+import html
|
||||
+from typing import Any
|
||||
|
||||
|
||||
-def validate_input(data: str) -> bool:
|
||||
- """Simple input validation."""
|
||||
- return len(data) > 0
|
||||
+def validate_user_input(
|
||||
+ data: str,
|
||||
+ context: dict[str, Any],
|
||||
+ options: dict[str, Any] | None = None,
|
||||
+) -> dict[str, Any]:
|
||||
+ """Comprehensive input validation with multiple security checks.
|
||||
+
|
||||
+ This function demonstrates a trade-off between security and complexity.
|
||||
+ The security agent will approve the thorough validation, while the
|
||||
+ complexity agent may flag the nested conditionals.
|
||||
+ """
|
||||
+ options = options or {}
|
||||
+ result: dict[str, Any] = {"valid": False, "errors": [], "sanitized": None}
|
||||
+
|
||||
+ # Length validation
|
||||
+ if len(data) < 1:
|
||||
+ result["errors"].append("Input cannot be empty")
|
||||
+ return result
|
||||
+
|
||||
+ if len(data) > options.get("max_length", 10000):
|
||||
+ result["errors"].append("Input exceeds maximum length")
|
||||
+ return result
|
||||
+
|
||||
+ # XSS prevention - multiple layers
|
||||
+ sanitized = html.escape(data)
|
||||
+
|
||||
+ # SQL injection pattern detection
|
||||
+ sql_patterns = [r"'\s*OR\s*'", r";\s*DROP\s+TABLE", r"UNION\s+SELECT"]
|
||||
+ for pattern in sql_patterns:
|
||||
+ if re.search(pattern, data, re.IGNORECASE):
|
||||
+ result["errors"].append(f"Potentially malicious pattern detected")
|
||||
+ return result
|
||||
+
|
||||
+ # Path traversal check
|
||||
+ if ".." in data or data.startswith("/"):
|
||||
+ if not options.get("allow_paths", False):
|
||||
+ result["errors"].append("Path characters not allowed")
|
||||
+ return result
|
||||
+
|
||||
+ result["valid"] = True
|
||||
+ result["sanitized"] = sanitized
|
||||
+ return result
|
||||
Reference in New Issue
Block a user