Skip to content

feat: add mk template for scaffolding project structures #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vitali87 merged 7 commits into from
Mar 27, 2026
Merged

feat: add mk template for scaffolding project structures #40

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f874908
feat: add mk template for scaffolding project structures
vitali87 Mar 24, 2026
6700684
fix: validate name, dry-run support, existing dir guard, use jq for J…
vitali87 Mar 24, 2026
e8fb5c4
fix: add jq require check for node template, validate package.json co…
vitali87 Mar 24, 2026
128a0dd
fix: reject path traversal in template project name
vitali87 Mar 24, 2026
351cb79
fix: use single quotes in generated main.sh to handle special chars i…
vitali87 Mar 24, 2026
05e9656
fix: validate project name to alphanumerics/hyphens/underscores only,…
vitali87 Mar 24, 2026
f3c0163
Merge branch 'main' into feat/mk-template
vitali87 Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -838,6 +838,31 @@ else
((PASSED++))
fi

# Test: mk template python
cd "$TEST_DIR"
u7 mk template python myapp >/dev/null 2>&1
if [[ -f "myapp/src/main.py" && -f "myapp/README.md" && -f "myapp/tests/__init__.py" ]]; then
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This test for the Python template is incomplete. The scaffolding logic creates src/__init__.py, but this check doesn't verify its existence. Adding this check will make the test more thorough and prevent future regressions.

Suggested change
if [[ -f "myapp/src/main.py" && -f "myapp/README.md" && -f "myapp/tests/__init__.py" ]]; then
if [[ -f "myapp/src/main.py" && -f "myapp/README.md" && -f "myapp/tests/__init__.py" && -f "myapp/src/__init__.py" ]]; then

echo -e "${GREEN}✓${NC} mk template python works"
((PASSED++))
else
echo -e "${RED}✗${NC} mk template python failed"
((FAILED++))
fi

# Test: mk template node
u7 mk template node mynode >/dev/null 2>&1
if [[ -f "mynode/package.json" && -f "mynode/src/index.js" ]]; then
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This test for the Node.js template is incomplete. The scaffolding logic also creates a README.md file and a test directory, but this test doesn't verify their existence. Expanding the check will make the test more robust.

Suggested change
if [[ -f "mynode/package.json" && -f "mynode/src/index.js" ]]; then
if [[ -f "mynode/package.json" && -f "mynode/src/index.js" && -f "mynode/README.md" && -d "mynode/test" ]]; then

echo -e "${GREEN}✓${NC} mk template node works"
((PASSED++))
else
echo -e "${RED}✗${NC} mk template node failed"
((FAILED++))
fi

# Test: mk template requires args
result=$(u7 mk template 2>&1)
assert_contains "mk template requires args" "Usage:" "$result"
Comment on lines +841 to +883
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The test coverage for the new mk template feature is incomplete and could be improved:

  • Tests for the bash and web templates are missing.
  • The existing tests for python and node only check for file existence. They should also verify file contents to ensure the templates are generated correctly (e.g., check for valid JSON in package.json, check for shebangs in scripts).
  • There are no tests for project names containing spaces or special characters, which would have helped catch the injection bugs in utility.sh.


# Cleanup
cd /
rm -rf "$TEST_DIR"
Expand Down
40 changes: 40 additions & 0 deletions utility.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -526,6 +526,45 @@ _u7_make() {
fi
;;

template)
local tmpl="$1"
local name="$2"
if [[ -z "$tmpl" || -z "$name" ]]; then
echo "Usage: u7 mk template <python|node|bash|web> <project-name>"
return 1
fi
case "$tmpl" in
python)
_u7_exec mkdir -p "$name/src" "$name/tests"
echo "# $name" > "$name/README.md"
echo "#!/usr/bin/env python3" > "$name/src/main.py"
touch "$name/src/__init__.py" "$name/tests/__init__.py"
echo "Created Python project: $name"
;;
node)
_u7_exec mkdir -p "$name/src" "$name/test"
echo "# $name" > "$name/README.md"
echo '{"name": "'"$name"'", "version": "0.1.0", "main": "src/index.js"}' > "$name/package.json"
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The project name is directly embedded into the package.json string. If the name contains a double quote ("), it will result in invalid JSON. Consider escaping the name to prevent this.

Suggested change
echo '{"name": "'"$name"'", "version": "0.1.0", "main": "src/index.js"}' > "$name/package.json"
echo '{"name": "'"${name//\"/\\\"}"'", "version": "0.1.0", "main": "src/index.js"}' > "$name/package.json"

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The project name is not escaped when being inserted into package.json. If the project name contains a double quote, it will result in an invalid JSON file. You should use a tool like jq to safely generate the JSON. Since jq seems to be a dependency for other parts of the script, you could use it like this: jq -n --arg name "$name" '{name: $name, version: "0.1.0", main: "src/index.js"}' > "$name/package.json"

echo "// $name" > "$name/src/index.js"
echo "Created Node project: $name"
;;
bash)
_u7_exec mkdir -p "$name"
echo "# $name" > "$name/README.md"
printf '#!/usr/bin/env bash\nset -euo pipefail\n\necho "Hello from %s"\n' "$name" > "$name/main.sh"
chmod +x "$name/main.sh"
echo "Created Bash project: $name"
;;
web)
_u7_exec mkdir -p "$name/css" "$name/js"
echo "<!DOCTYPE html><html><head><title>$name</title><link rel=\"stylesheet\" href=\"css/style.css\"></head><body><h1>$name</h1><script src=\"js/main.js\"></script></body></html>" > "$name/index.html"
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The project name is directly embedded into the HTML content without escaping. This creates a Cross-Site Scripting (XSS) vulnerability. If a project name contains HTML tags (e.g., <script>...), they will be rendered by the browser.

You should HTML-escape the $name variable before using it. A simple approach in bash is to replace special characters:

local name_html_escaped="$name"
name_html_escaped="${name_html_escaped//&/&amp;}"
name_html_escaped="${name_html_escaped//</&lt;}"
name_html_escaped="${name_html_escaped//>/&gt;}"
# ... and then use $name_html_escaped in the echo command.

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The project name is not escaped when being inserted into index.html. If the project name contains HTML special characters like < or >, it will result in an invalid or malformed HTML file. The project name should be HTML-escaped before being embedded in the title and body. You can use sed for basic escaping, for example: escaped_name=$(printf '%s' "$name" | sed 's/&/\&amp;/g; s/</\&lt;/g; s/>/\&gt;/g;')

touch "$name/css/style.css" "$name/js/main.js"
echo "Created Web project: $name"
;;
*) echo "Usage: u7 mk template <python|node|bash|web> <project-name>" ; return 1 ;;
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The usage message here is identical to the one on line 533. This duplication can make maintenance harder. To improve clarity, consider making this error message more specific to an invalid template type, distinguishing it from the missing-argument error.

Suggested change
*) echo "Usage: u7 mk template <python|node|bash|web> <project-name>" ; return 1 ;;
*) echo "Error: Invalid template type '$tmpl'. Must be one of python, node, bash, web." ; return 1 ;;

esac
;;

sequence)
if [[ "$1" != "with" || "$2" != "prefix" ]]; then
echo "Usage: u7 mk sequence with prefix <prefix> limit <N>"
Expand Down Expand Up @@ -557,6 +596,7 @@ Entities:
link <source> to <destination> Create symbolic link
archive <output> from <files...> Create archive from <files...> to <output>
clone <repo> [to <directory>] Git clone a repository
template <python|node|bash|web> <name> Scaffold a project structure
sequence with prefix <prefix> limit <N> Generate numbered sequence with prefix <prefix> and limit <N>
EOF
;;
Expand Down
Loading