Skip to content

fix: use --fail instead of --fail-with-body in curl #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
probelabs wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: use --fail instead of --fail-with-body in curl #106

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3d66569
fix: use --fail instead of --fail-with-body in curl
buger Apr 4, 2026
5dfc88c
ci: replace tui domain with github pages url and revert fail-with-body
buger Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/tests/test-controller/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@
TEST_TYPE: ${{ inputs.test_type }}
TRIGGER: ${{ github.event_name }}
run: |
set -eo pipefail

Check failure on line 37 in .github/actions/tests/test-controller/action.yaml

View check run for this annotation

probelabs / Visor: architecture

logic Issue 

The pull request title and description state that the fix is to replace `curl --fail-with-body` with `--fail`. However, the actual code change only updates a URL and leaves the `--fail-with-body` flag in place. This means the original issue, where an HTML error body can be piped to `$GITHUB_OUTPUT` and cause a format error, is not resolved.
Raw output 
To fix the underlying issue as described in the pull request, replace the `--fail-with-body` flag with `--fail` (or `-f`). This will cause curl to exit with an error on HTTP failures without writing the response body to stdout, preventing the corruption of `$GITHUB_OUTPUT`.

Check warning on line 37 in .github/actions/tests/test-controller/action.yaml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The base URL for the service endpoint (`https://tyktechnologies.github.io/gromit`) is hardcoded within the reusable action. This couples the action to a specific environment and service, reducing its reusability. If the endpoint needs to change for different environments (e.g., staging vs. production) or other use cases, the action's code must be modified.
Raw output 
Decouple the action from a specific endpoint by making the base URL a configurable input. This would allow workflows using this action to provide the target URL, making the action more flexible and reusable across different projects and environments.
curl -s --retry 5 --retry-delay 10 --fail-with-body "http://tui.internal.dev.tyk.technology/v2/$VARIATION/$REPO_NAME/$BASE_REF/$TRIGGER/$TEST_TYPE.gho" | tee -a "$GITHUB_OUTPUT"
curl -s --retry 5 --retry-delay 10 --fail-with-body "https://tyktechnologies.github.io/gromit/v2/$VARIATION/$REPO_NAME/$BASE_REF/$TRIGGER/$TEST_TYPE.gho" | tee -a "$GITHUB_OUTPUT"

Check failure on line 38 in .github/actions/tests/test-controller/action.yaml

View check run for this annotation

probelabs / Visor: quality

undefined Issue 

The code change does not match the pull request's stated intent. The title and description indicate that the `curl` flag `--fail-with-body` should be replaced with `--fail` to prevent invalid output on HTTP errors. However, the implemented change only alters the URL and retains the problematic `--fail-with-body` flag, meaning the original issue is not resolved. Furthermore, the significant change of the target URL is not documented in the PR description.
Raw output 
Update the `curl` command to use the `--fail` flag instead of `--fail-with-body` to correctly implement the intended fix. Additionally, update the pull request description to accurately reflect all changes, including the modification of the target URL.

Check failure on line 38 in .github/actions/tests/test-controller/action.yaml

View check run for this annotation

probelabs / Visor: security

security Issue 

The action is vulnerable to command injection. Inputs like `variation` and `test-type`, and context variables like `github.repository` and `github.base_ref`, are interpolated directly into a shell command string. An attacker controlling these values (e.g., via a malicious branch name or workflow input) could execute arbitrary commands using shell command substitution syntax like `$(command)`. The double quotes around the URL do not prevent this attack.
Raw output 
Sanitize all variables before they are used in the shell command. A robust way to do this is to pass the variables as environment variables to a separate script (e.g., Node.js, Python) that builds the URL and executes the request, avoiding direct shell interpolation. If you must use a shell script, add a validation step for each variable to ensure it only contains expected characters (e.g., alphanumeric, `_`, `-`, `.`, `/`) and reject any input containing shell metacharacters.

Check warning on line 38 in .github/actions/tests/test-controller/action.yaml

View check run for this annotation

probelabs / Visor: security

security Issue 

The endpoint for fetching test configuration has been changed from an internal, unencrypted URL to a public HTTPS URL hosted on GitHub Pages. This change may expose potentially sensitive test configuration files (`.gho`) to the public internet. These files could contain information about internal systems, test logic, or other data not intended for public disclosure.
Raw output 
Review the contents of the `.gho` files being hosted on the public `tyktechnologies.github.io` site. Confirm that they contain no sensitive information. If they do, relocate them to a private, access-controlled storage location and update the URL in this action accordingly.
if ! [[ $VARIATION =~ prod ]] ;then
echo "::warning file=.github/workflows/release.yml,line=24,col=1,endColumn=8::Using non-prod variation"
echo "### :warning: You are using VARIATION=${VARIATION} in test-controller-{{ .test }}" >> $GITHUB_STEP_SUMMARY
Expand Down
Loading