fix: harden dbt pipeline inputs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Klesh Wong

backend/helpers/oidchelper/config.go

@@ -88,20 +88,28 @@ func (c *Config) ProviderNames() []string {
 }
 
 // LoadConfig reads auth env vars via Viper and validates required fields.
-// Returns Config{AuthEnabled:false} when AUTH_ENABLED=false (the default,
-// preserves historical behavior).
+// AUTH_ENABLED defaults to true unless it is explicitly set to false.
 func LoadConfig(basicRes context.BasicRes) (*Config, error) {
 	cfg := basicRes.GetConfigReader()
 
-	if !cfg.GetBool("AUTH_ENABLED") {
+	authEnabled := true
+	if cfg.IsSet("AUTH_ENABLED") {
+		authEnabled = cfg.GetBool("AUTH_ENABLED")
+	}
+	if !authEnabled {
 		return &Config{AuthEnabled: false}, nil
 	}
 
+	oidcEnabled := cfg.GetBool("OIDC_ENABLED")
 	sessionSecret := strings.TrimSpace(cfg.GetString("SESSION_SECRET"))
-	if sessionSecret == "" {
-		return nil, fmt.Errorf("AUTH_ENABLED=true but SESSION_SECRET is not set")
-	}
-	if len(sessionSecret) < 32 {
+	if oidcEnabled {
+		if sessionSecret == "" {
+			return nil, fmt.Errorf("OIDC_ENABLED=true but SESSION_SECRET is not set")
+		}
+		if len(sessionSecret) < 32 {
+			return nil, fmt.Errorf("SESSION_SECRET must be at least 32 bytes")
+		}
+	} else if sessionSecret != "" && len(sessionSecret) < 32 {
 		return nil, fmt.Errorf("SESSION_SECRET must be at least 32 bytes")
 	}
 
@@ -121,7 +129,7 @@ func LoadConfig(basicRes context.BasicRes) (*Config, error) {
 
 	out := &Config{
 		AuthEnabled:    true,
-		OIDCEnabled:    cfg.GetBool("OIDC_ENABLED"),
+		OIDCEnabled:    oidcEnabled,
 		Providers:      map[string]*ProviderConfig{},
 		LogoutRedirect: cfg.GetBool("OIDC_LOGOUT_REDIRECT"),
 		SessionSecret:  []byte(sessionSecret),

backend/helpers/oidchelper/config_test.go

@@ -20,6 +20,13 @@ package oidchelper
 import (
 	"reflect"
 	"testing"
+
+	"github.com/spf13/viper"
+
+	"github.com/apache/incubator-devlake/core/config"
+	corectx "github.com/apache/incubator-devlake/core/context"
+	"github.com/apache/incubator-devlake/core/dal"
+	"github.com/apache/incubator-devlake/core/log"
 )
 
 func TestParseScopes(t *testing.T) {
@@ -84,3 +91,43 @@ func TestProviderNamesSorted(t *testing.T) {
 		t.Errorf("ProviderNames = %v, want sorted [entra google]", names)
 	}
 }
+
+type basicResStub struct {
+	cfg config.ConfigReader
+}
+
+func (b basicResStub) GetConfigReader() config.ConfigReader { return b.cfg }
+func (b basicResStub) GetConfig(string) string              { return "" }
+func (b basicResStub) GetLogger() log.Logger                { return nil }
+func (b basicResStub) NestedLogger(string) corectx.BasicRes { return nil }
+func (b basicResStub) ReplaceLogger(log.Logger) corectx.BasicRes {
+	return nil
+}
+func (b basicResStub) GetDal() dal.Dal { return nil }
+
+func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
+	v := viper.New()
+
+	cfg, err := LoadConfig(basicResStub{cfg: v})
+	if err != nil {
+		t.Fatalf("LoadConfig returned error: %v", err)
+	}
+	if !cfg.AuthEnabled {
+		t.Fatal("AuthEnabled should default to true when AUTH_ENABLED is unset")
+	}
+	if cfg.OIDCEnabled {
+		t.Fatal("OIDCEnabled should default to false")
+	}
+	if len(cfg.SessionSecret) != 0 {
+		t.Fatalf("SessionSecret = %q, want empty when OIDC is disabled", string(cfg.SessionSecret))
+	}
+}
+
+func TestLoadConfigRequiresSessionSecretForOIDC(t *testing.T) {
+	v := viper.New()
+	v.Set("OIDC_ENABLED", true)
+
+	if _, err := LoadConfig(basicResStub{cfg: v}); err == nil {
+		t.Fatal("LoadConfig should reject OIDC-enabled config without SESSION_SECRET")
+	}
+}

backend/plugins/dbt/dbt.go

@@ -28,7 +28,6 @@ var PluginEntry impl.Dbt
 // standalone mode for debugging
 func main() {
 	dbtCmd := &cobra.Command{Use: "dbt"}
-	_ = dbtCmd.MarkFlagRequired("projectPath")
 	projectPath := dbtCmd.Flags().StringP("projectPath", "p", "/Users/abeizn/demoapp", "user dbt project directory.")
 	projectGitURL := dbtCmd.Flags().StringP("projectGitURL", "g", "", "user dbt project git url.")
 	projectName := dbtCmd.Flags().StringP("projectName", "n", "demoapp", "user dbt project name.")

backend/plugins/dbt/impl/impl.go

@@ -18,6 +18,8 @@ limitations under the License.
 package impl
 
 import (
+	"fmt"
+
 	"github.com/apache/incubator-devlake/core/dal"
 	"github.com/apache/incubator-devlake/core/errors"
 	"github.com/apache/incubator-devlake/core/plugin"
@@ -28,6 +30,7 @@ import (
 var _ interface {
 	plugin.PluginMeta
 	plugin.PluginTask
+	plugin.CloseablePluginTask
 	plugin.PluginModel
 } = (*Dbt)(nil)
 
@@ -54,8 +57,8 @@ func (p Dbt) PrepareTaskData(taskCtx plugin.TaskContext, options map[string]inte
 	if err != nil {
 		return nil, err
 	}
-	if op.ProjectPath == "" {
-		return nil, errors.Default.New("projectPath is required for dbt plugin")
+	if err := tasks.PrepareOptions(&op, taskCtx.GetConfig(tasks.DbtProjectBaseDirConfigKey)); err != nil {
+		return nil, err
 	}
 
 	if op.ProjectTarget == "" {
@@ -71,6 +74,17 @@ func (p Dbt) RootPkgPath() string {
 	return "github.com/apache/incubator-devlake/plugins/dbt"
 }
 
+func (p Dbt) Close(taskCtx plugin.TaskContext) errors.Error {
+	data, ok := taskCtx.GetData().(*tasks.DbtTaskData)
+	if !ok || data == nil || data.Options == nil || !data.Options.ManagedProjectDir {
+		return nil
+	}
+	if err := tasks.CleanupManagedProjectDir(data.Options); err != nil {
+		return errors.Default.Wrap(err, fmt.Sprintf("cleanup dbt project path %q", data.Options.ProjectPath))
+	}
+	return nil
+}
+
 func (p Dbt) Name() string {
 	return "dbt"
 }

backend/plugins/dbt/tasks/convertor.go

@@ -234,4 +234,5 @@ var DbtConverterMeta = plugin.SubTaskMeta{
 	EntryPoint:       DbtConverter,
 	EnabledByDefault: true,
 	Description:      "Convert data by dbt",
+	Dependencies:     []*plugin.SubTaskMeta{&GitMeta},
 }

backend/plugins/dbt/tasks/git.go

@@ -32,20 +32,26 @@ func Git(taskCtx plugin.SubTaskContext) errors.Error {
 		return nil
 	}
 
-	// clean ProjectPath
-	err := os.RemoveAll(data.Options.ProjectPath)
+	projectBaseDir, err := ensureProjectBaseDir(data.Options.ProjectBaseDir)
 	if err != nil {
-		logger.Error(err, "cleanup before clone dbt project failed")
-		return errors.Convert(err)
+		logger.Error(err, "prepare dbt workspace failed")
+		return err
 	}
+	projectPath, mkErr := os.MkdirTemp(projectBaseDir, "project-*")
+	if mkErr != nil {
+		logger.Error(mkErr, "create managed dbt project directory failed")
+		return errors.Convert(mkErr)
+	}
+	data.Options.ProjectPath = projectPath
 
-	// git clone from ProjectGitURL into ProjectPath
+	// git clone from ProjectGitURL into a managed temporary project directory
 	cmd := exec.Command("git", "clone", data.Options.ProjectGitURL, data.Options.ProjectPath)
 	logger.Info("start clone dbt project: %v", cmd)
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		logger.Error(err, "clone dbt project failed")
-		return errors.Convert(err)
+	out, cloneErr := cmd.CombinedOutput()
+	if cloneErr != nil {
+		_ = os.RemoveAll(data.Options.ProjectPath)
+		logger.Error(cloneErr, "clone dbt project failed")
+		return errors.Convert(cloneErr)
 	}
 	logger.Info("clone dbt project success: %v", string(out))
 	return nil

backend/plugins/dbt/tasks/options.go

@@ -0,0 +1,132 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tasks
+
+import (
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/apache/incubator-devlake/core/errors"
+)
+
+const (
+	DbtProjectBaseDirConfigKey = "DBT_PROJECTS_DIR"
+	dbtProjectBaseDirName      = "devlake-dbt-projects"
+)
+
+func PrepareOptions(op *DbtOptions, configuredBaseDir string) errors.Error {
+	if op == nil {
+		return errors.Default.New("dbt options are required")
+	}
+
+	baseDir, err := normalizeBaseDir(configuredBaseDir)
+	if err != nil {
+		return err
+	}
+	op.ProjectBaseDir = baseDir
+	op.ProjectPath = strings.TrimSpace(op.ProjectPath)
+	op.ProjectGitURL = strings.TrimSpace(op.ProjectGitURL)
+
+	if op.ProjectGitURL != "" {
+		if err := validateProjectGitURL(op.ProjectGitURL); err != nil {
+			return err
+		}
+		op.ProjectPath = ""
+		op.ManagedProjectDir = true
+		return nil
+	}
+
+	if op.ProjectPath == "" {
+		return errors.Default.New("projectPath is required for local dbt projects")
+	}
+
+	projectPath, err := normalizePathWithinBase(baseDir, op.ProjectPath)
+	if err != nil {
+		return err
+	}
+	op.ProjectPath = projectPath
+	return nil
+}
+
+func normalizeBaseDir(configuredBaseDir string) (string, errors.Error) {
+	baseDir := strings.TrimSpace(configuredBaseDir)
+	if baseDir == "" {
+		baseDir = filepath.Join(os.TempDir(), dbtProjectBaseDirName)
+	}
+	baseDir, err := filepath.Abs(filepath.Clean(baseDir))
+	if err != nil {
+		return "", errors.Convert(err)
+	}
+	return baseDir, nil
+}
+
+func normalizePathWithinBase(baseDir string, candidate string) (string, errors.Error) {
+	normalizedPath, err := filepath.Abs(filepath.Clean(candidate))
+	if err != nil {
+		return "", errors.Convert(err)
+	}
+	rel, err := filepath.Rel(baseDir, normalizedPath)
+	if err != nil {
+		return "", errors.Convert(err)
+	}
+	if rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+		return "", errors.Default.New("projectPath must stay within " + baseDir)
+	}
+	return normalizedPath, nil
+}
+
+func validateProjectGitURL(rawURL string) errors.Error {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return errors.Convert(err)
+	}
+	if u.Scheme != "https" && u.Scheme != "ssh" {
+		return errors.Default.New("projectGitURL must use https:// or ssh://")
+	}
+	if u.Host == "" {
+		return errors.Default.New("projectGitURL must include a hostname")
+	}
+	if u.Path == "" || u.Path == "/" {
+		return errors.Default.New("projectGitURL must include a repository path")
+	}
+	return nil
+}
+
+func ensureProjectBaseDir(baseDir string) (string, errors.Error) {
+	baseDir, err := normalizeBaseDir(baseDir)
+	if err != nil {
+		return "", err
+	}
+	if err := os.MkdirAll(baseDir, 0o755); err != nil {
+		return "", errors.Convert(err)
+	}
+	return baseDir, nil
+}
+
+func CleanupManagedProjectDir(op *DbtOptions) errors.Error {
+	if op == nil || !op.ManagedProjectDir || op.ProjectPath == "" {
+		return nil
+	}
+	projectPath, err := normalizePathWithinBase(op.ProjectBaseDir, op.ProjectPath)
+	if err != nil {
+		return err
+	}
+	return errors.Convert(os.RemoveAll(projectPath))
+}