Merge branch 'master' into daniel.mohedano/gha-spec-tests

daniel-mohedano · web-flow · commit 004b18ce2c6d · 2026-02-12T12:49:19.000+01:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -98,26 +98,26 @@
 **/*Waf*.java                                                   @DataDog/asm-java
 **/*Waf*.groovy                                                 @DataDog/asm-java
 
-# @DataDog/ci-app-libraries-java
-/dd-java-agent/agent-ci-visibility/                 @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/cucumber-5.4/        @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/jacoco-0.8.9/        @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/junit                @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/karate/              @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/scalatest-3.0.8/     @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/selenium/            @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/testng/              @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/gradle/              @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/gradle-testing/      @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/maven                @DataDog/ci-app-libraries-java
-/dd-java-agent/instrumentation/weaver-0.9/          @DataDog/ci-app-libraries-java
-/dd-smoke-tests/gradle/                             @DataDog/ci-app-libraries-java
-/dd-smoke-tests/junit-console/                      @DataDog/ci-app-libraries-java
-/dd-smoke-tests/maven/                              @DataDog/ci-app-libraries-java
-/internal-api/src/main/java/datadog/trace/api/git/  @DataDog/ci-app-libraries-java
-**/civisibility/                                    @DataDog/ci-app-libraries-java
-**/CiVisibility*.java                               @DataDog/ci-app-libraries-java
-**/CiVisibility*.groovy                             @DataDog/ci-app-libraries-java
+# @DataDog/ci-app-libraries
+/dd-java-agent/agent-ci-visibility/                 @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/cucumber-5.4/        @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/jacoco-0.8.9/        @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/junit                @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/karate/              @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/scalatest-3.0.8/     @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/selenium/            @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/testng/              @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/gradle/              @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/gradle-testing/      @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/maven                @DataDog/ci-app-libraries
+/dd-java-agent/instrumentation/weaver-0.9/          @DataDog/ci-app-libraries
+/dd-smoke-tests/gradle/                             @DataDog/ci-app-libraries
+/dd-smoke-tests/junit-console/                      @DataDog/ci-app-libraries
+/dd-smoke-tests/maven/                              @DataDog/ci-app-libraries
+/internal-api/src/main/java/datadog/trace/api/git/  @DataDog/ci-app-libraries
+**/civisibility/                                    @DataDog/ci-app-libraries
+**/CiVisibility*.java                               @DataDog/ci-app-libraries
+**/CiVisibility*.groovy                             @DataDog/ci-app-libraries
 
 # @DataDog/debugger-java (Live Debugger)
 /dd-java-agent/agent-debugger/                                  @DataDog/debugger-java
diff --git a/.gitlab/ci_visibility_generate_job.sh b/.gitlab/ci_visibility_generate_job.sh
@@ -59,14 +59,40 @@ if [ -z "$labels" ] || ! echo "$labels" | grep -q "comp: ci visibility"; then
   exit 0
 fi
 
-echo "PR #$pr_number is a CI Visibility PR - triggering test environment"
+echo "PR #$pr_number is a CI Visibility PR"
+
+# Check for test-environment configuration in PR body
+set +e
+echo "Checking additional trigger configuration"
+target_branch="main"
+pr_body=$(gh pr view "$pr_number" --repo DataDog/dd-trace-java --json body --jq '.body' 2>&1)
+pr_body_status=$?
+if [ $pr_body_status -eq 0 ] && [ -n "$pr_body" ]; then
+  # Check for skip directive: "test-environment-trigger: skip" (must be at start of line)
+  if echo "$pr_body" | grep -qP '^test-environment-trigger:\s*skip'; then
+    echo "Found 'test-environment-trigger: skip' in PR body - skipping trigger"
+    add_dummy_job
+    exit 0
+  fi
+  # Look for "test-environment-branch: <branch-name>" at start of line in PR body
+  override_branch=$(echo "$pr_body" | grep -oP '^test-environment-branch:\s*\K[\S]+' | head -1)
+  if [ -n "$override_branch" ]; then
+    echo "Found test-environment branch override in PR body: '$override_branch'"
+    target_branch="$override_branch"
+  else
+    echo "No test-environment-branch override in PR body - using default 'main' for downstream pipeline"
+  fi
+else
+  echo "Could not read PR body (status=$pr_body_status) - using default 'main' for downstream pipeline"
+fi
+set -e
 
 cat <<EOF >>ci-visibility-test-environment.yml
 ci-visibility-test-environment:
   stage: ci-visibility-tests
   trigger:
     project: DataDog/apm-reliability/test-environment
-    branch: main
+    branch: $target_branch
     strategy: depend
   variables:
     UPSTREAM_PACKAGE_JOB: build
diff --git a/internal-api/src/main/java/datadog/trace/api/git/GitUtils.java b/internal-api/src/main/java/datadog/trace/api/git/GitUtils.java
@@ -290,7 +290,11 @@ public static boolean isValidRef(@Nullable String ref) {
 
   /** Checks if the provided string is a valid system path for Git operations */
   public static boolean isValidPath(@Nonnull String path) {
-    return PATH_PATTERN.matcher(path).matches();
+    if (!PATH_PATTERN.matcher(path).matches()) {
+      return false;
+    }
+    // Reject path traversal sequences
+    return !path.contains("..");
   }
 
   /** Checks if the provided string is neither a valid commit SHA nor a valid Git reference */
diff --git a/internal-api/src/test/groovy/datadog/trace/api/git/GitUtilsTest.groovy b/internal-api/src/test/groovy/datadog/trace/api/git/GitUtilsTest.groovy
@@ -153,6 +153,12 @@ class GitUtilsTest extends Specification {
     "mixed.Case-123_Test"        | true
     "./relative/path"            | true
     "multiple/levels/of/nesting" | true
+    "/absolute/path"             | true  // absolute paths allowed
+    "/home/user/workspace"       | true  // typical CI workspace
+    "../parent/path"             | false // path traversal at start
+    "path/../other"              | false // path traversal in middle
+    "path/to/.."                 | false // path traversal at end
+    "../../etc/passwd"           | false // multiple path traversal
     ""                           | false // empty
     "   "                        | false // whitespace only
     "path with spaces"           | false // contains spaces
