feat(sidekick/rust): decouple option extraction and support resource names#4352
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors resource name generation in the Rust sidekick by decoupling the creation of resource name arguments from the annotation phase and moving the string formatting into the Rust template. However, the implementation introduces a critical code injection vulnerability. It injects untrusted strings from the API model directly into the generated Rust code without proper sanitization or escaping. Specifically, ResourceNameTemplate and ResourceNameArgs are used in the mustache template with triple braces {{{...}}}, disabling escaping and potentially allowing an attacker to inject arbitrary code. Furthermore, there's an issue in the mustache template's string formatting that will likely cause compilation failures.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4352 +/- ##
==========================================
- Coverage 81.91% 81.90% -0.01%
==========================================
Files 99 99
Lines 8127 8126 -1
==========================================
- Hits 6657 6656 -1
Misses 1022 1022
Partials 448 448 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
westarle
left a comment
westarle
left a comment
There was a problem hiding this comment.
Is there a draft PR with the resulting code?
googleapis/google-cloud-rust#4838 I update the generated output for both |
…esource names (googleapis#4352)" This reverts commit 1d54810.
2 participants
Inject resource name generation into the Rust generator.
Fixes #4183