bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

// SC2173: SIGKILL/SIGSTOP can't be trapped.
//
// SIGKILL (9) and SIGSTOP (17/19) cannot be caught or ignored.
//
// Examples:
// Bad:
//   trap "cleanup" SIGKILL       // Won't work
//   trap "handler" SIGSTOP       // Can't be trapped
//   trap "cleanup" 9             // SIGKILL by number
//
// Good:
//   trap "cleanup" SIGTERM       // Can be trapped
//   trap "cleanup" SIGINT        // Can be trapped
//   trap "cleanup" EXIT          // Pseudo-signal, works
//
// Impact: Trap won't work, false sense of control

use crate::linter::{Diagnostic, LintResult, Severity, Span};
use regex::Regex;

static TRAP_SIGKILL_SIGSTOP: std::sync::LazyLock<Regex> = std::sync::LazyLock::new(|| {
    // Match: trap "handler" SIGKILL/SIGSTOP/9/17/19
    // Also match: trap 'handler' SIGKILL
    Regex::new(r#"\btrap\s+["']?[^"'\s]+["']?\s+(SIGKILL|SIGSTOP|9|17|19)\b"#).unwrap()
});

pub fn check(source: &str) -> LintResult {
    let mut result = LintResult::new();

    for (line_num, line) in source.lines().enumerate() {
        let line_num = line_num + 1;

        if line.trim_start().starts_with('#') {
            continue;
        }

        for mat in TRAP_SIGKILL_SIGSTOP.find_iter(line) {
            let start_col = mat.start() + 1;
            let end_col = mat.end() + 1;

            let diagnostic = Diagnostic::new(
                "SC2173",
                Severity::Error,
                "SIGKILL/SIGSTOP can't be trapped".to_string(),
                Span::new(line_num, start_col, line_num, end_col),
            );

            result.add(diagnostic);
        }
    }

    result
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_sc2173_trap_sigkill() {
        let code = r#"trap "cleanup" SIGKILL"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2173_trap_sigstop() {
        let code = r#"trap "cleanup" SIGSTOP"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2173_trap_9() {
        let code = r#"trap "cleanup" 9"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2173_trap_sigterm_ok() {
        let code = r#"trap "cleanup" SIGTERM"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2173_trap_sigint_ok() {
        let code = r#"trap "cleanup" SIGINT"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2173_trap_exit_ok() {
        let code = r#"trap "cleanup" EXIT"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2173_comment_ok() {
        let code = r#"# trap "cleanup" SIGKILL"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2173_multiple() {
        let code = "trap 'cleanup' SIGKILL\ntrap 'handler' SIGSTOP";
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 2);
    }

    #[test]
    fn test_sc2173_trap_17() {
        let code = r#"trap "cleanup" 17"#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2173_trap_2_ok() {
        let code = r#"trap "cleanup" 2"#;
        let result = check(code);
        // SIGINT (2) can be trapped
        assert_eq!(result.diagnostics.len(), 0);
    }
}