fix: fail open instead of aborting under set -e on 1Password DB lookup#31
Open
J-MaFf wants to merge 1 commit into
Open
fix: fail open instead of aborting under set -e on 1Password DB lookup#31J-MaFf wants to merge 1 commit into
J-MaFf wants to merge 1 commit into
Conversation
hook.sh runs under `set -euo pipefail`. find_1password_db and query_mounts return non-zero as a normal "not found / unavailable" signal, but assigning their output (db_path=$(...) / mount_hex_data=$(...)) makes set -e abort the whole script before the fail-open logic runs — exiting 1 with empty stdout instead of allowing. The runner masks this by treating empty output as allow, but the hook never reaches its own fail-open branches, its log warnings never fire, and configured-mode deny is short-circuited (a missing required mount cannot block). Guard both assignments with `|| true` so the existing emptiness checks run and the hook fails open as designed — matching the `|| true` idiom already used in extract_toml_array_items. - Modified: hooks/1password-validate-mounted-env-files/hook.sh (~line 415, 417) - Tests: tests/hooks/1password-validate-mounted-env-files.bats — added two regression tests (no DB present; DB present but unqueryable). Both fail before the fix and pass after. Full suite: 160/160 passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
hooks/1password-validate-mounted-env-files/hook.shruns underset -euo pipefail.find_1password_dbandquery_mountsreturn non-zero as a normal "not found / unavailable" signal, but their results are assigned via command substitution:Under
set -e, a non-zero command substitution in an assignment aborts the whole script. So on any machine without the 1Password desktop database on disk (CLI-only, CI), or withoutsqlite3installed, the hook exits1with empty stdout before reaching its fail-open logic.bin/run-hook.shmasks this by treating empty hook output as "allow", so the end result is usually still safe — but the hook never reaches its own intended fail-open branches, itslogwarnings never fire, and configured-modedenyis short-circuited: a required-but-missing mount can't block, because the script dies before validating.Reproduction
On a machine with no 1Password desktop database present:
exit=1, empty stdout (aborted byset -e).exit=0,{"decision":"allow","message":""}(fail open as designed).Fix
Guard both assignments with
|| true— the same idiom already used inextract_toml_array_items— so the existing emptiness checks (if [[ -n "$db_path" ]]) run and the hook falls through to its fail-openallow.Tests
Added two regression tests to
tests/hooks/1password-validate-mounted-env-files.bats:fails open (allow) when no 1Password database is present(covers thefind_1password_dbpath)fails open (allow) when the 1Password database cannot be queried(covers thequery_mountspath)Both fail before this change and pass after, and run without
sqlite3— exactly the path the existingdenytestskips whensqlite3is unavailable, which is why the regression went uncaught.Full suite: 160/160 passing (
npx bats -r tests/).