fix(resolve): restore relative task path resolution for repository paths

theakshaypant · chmouel · commit ece5326d66f0 · 2026-04-01T15:00:44.000+02:00
Commit 6e36620 broke relative task path resolution for repository file paths by only allowing HTTP(S) URLs. This caused paths containing '..' to be passed unresolved to the GitHub API, which rejects them with "path must not contain '..' due to auth vulnerability issue". This fix restores the original behavior by allowing both HTTP(S) URLs and repository file paths (e.g., .tekton/pipelines/build.yaml) to have their relative paths resolved, while still excluding catalog/hub references (catalog://, hub://). Fixes: #2549 Signed-off-by: Akshay Pant <akpant@redhat.com>
diff --git a/pkg/resolve/remote.go b/pkg/resolve/remote.go
@@ -33,11 +33,14 @@ func assembleTaskFQDNs(pipelineURL string, tasks []string) ([]string, error) {
 		return tasks, nil // no pipeline URL, return tasks as is
 	}
 
-	// Only HTTP(S) URLs can serve as base for relative task resolution.
+	// Only HTTP(S) URLs and repository file paths can serve as base for relative task resolution.
 	// Hub catalog references (e.g., "catalog://resource:version") use a
 	// different scheme where relative paths are meaningless.
 	lowered := strings.ToLower(pipelineURL)
-	if !strings.HasPrefix(lowered, "http://") && !strings.HasPrefix(lowered, "https://") {
+	isHTTP := strings.HasPrefix(lowered, "http://") || strings.HasPrefix(lowered, "https://")
+	isRepoPath := strings.Contains(lowered, "/") && !strings.Contains(lowered, "://")
+
+	if !isHTTP && !isRepoPath {
 		return tasks, nil
 	}
 
diff --git a/pkg/resolve/remote_test.go b/pkg/resolve/remote_test.go
@@ -562,10 +562,10 @@ func TestAssembleTaskFQDNs(t *testing.T) {
 			expected:    []string{"https://example.com/repo/task.yaml"},
 		},
 		{
-			name:        "repository file path URL returns tasks unchanged",
+			name:        "repository file path URL resolves relative tasks",
 			pipelineURL: "share/pipelines/build.yaml",
 			tasks:       []string{"../tasks/t.yaml", "tasks/other-task.yaml"},
-			expected:    []string{"../tasks/t.yaml", "tasks/other-task.yaml"},
+			expected:    []string{"share/tasks/t.yaml", "share/pipelines/tasks/other-task.yaml"},
 		},
 	}
 	for _, tt := range tests {
diff --git a/test/gitea_test.go b/test/gitea_test.go
@@ -103,6 +103,25 @@ func TestGiteaPullRequestPipelineAnnotations(t *testing.T) {
 	defer f()
 }
 
+// TestGiteaPullRequestRemotePipelineRelativeTask verifies that relative task paths
+// in a Pipeline's annotations are resolved correctly when the pipeline is
+// fetched from a repository path.
+func TestGiteaPullRequestRemotePipelineRelativeTask(t *testing.T) {
+	topts := &tgitea.TestOpts{
+		Regexp:      successRegexp,
+		TargetEvent: triggertype.PullRequest.String(),
+		YAMLFiles: map[string]string{
+			".tekton/pr.yaml":                        "testdata/pipelinerun_remote_pipeline_repo_path.yaml",
+			".pipelines/pipeline.yaml":               "testdata/pipeline_relative_task.yaml",
+			".tasks/task-referenced-internally.yaml": "testdata/task_referenced_internally.yaml",
+		},
+		ExpectEvents:   false,
+		CheckForStatus: "success",
+	}
+	_, f := tgitea.TestPR(t, topts)
+	defer f()
+}
+
 func TestGiteaPullRequestResolvePipelineOnlyAssociatedWithPipelineRunFilterted(t *testing.T) {
 	topts := &tgitea.TestOpts{
 		Regexp:      successRegexp,
diff --git a/test/testdata/pipeline_relative_task.yaml b/test/testdata/pipeline_relative_task.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: pipeline-relative-task
+  annotations:
+    pipelinesascode.tekton.dev/task: "[../.tasks/task-referenced-internally.yaml]"
+spec:
+  tasks:
+    - name: task-referenced-internally
+      taskRef:
+        name: task-referenced-internally
diff --git a/test/testdata/pipelinerun_remote_pipeline_repo_path.yaml b/test/testdata/pipelinerun_remote_pipeline_repo_path.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: "pipelinerun-remote-pipeline-relative-task"
+  annotations:
+    pipelinesascode.tekton.dev/target-namespace: "\\ .TargetNamespace //"
+    pipelinesascode.tekton.dev/on-target-branch: "[\\ .TargetBranch //]"
+    pipelinesascode.tekton.dev/on-event: "[\\ .TargetEvent //]"
+    pipelinesascode.tekton.dev/pipeline: "[../.pipelines/pipeline.yaml]"
+spec:
+  pipelineRef:
+    name: pipeline-relative-task

Original file line number	Diff line number	Diff line change
`@@ -562,10 +562,10 @@ func TestAssembleTaskFQDNs(t *testing.T) {`
`562`	`562`	`expected: []string{"https://example.com/repo/task.yaml"},`
`563`	`563`	`},`
`564`	`564`	`{`
`565`		`- name: "repository file path URL returns tasks unchanged",`
	`565`	`+ name: "repository file path URL resolves relative tasks",`
`566`	`566`	`pipelineURL: "share/pipelines/build.yaml",`
`567`	`567`	`tasks: []string{"../tasks/t.yaml", "tasks/other-task.yaml"},`
`568`		`- expected: []string{"../tasks/t.yaml", "tasks/other-task.yaml"},`
	`568`	`+ expected: []string{"share/tasks/t.yaml", "share/pipelines/tasks/other-task.yaml"},`
`569`	`569`	`},`
`570`	`570`	`}`
`571`	`571`	`for _, tt := range tests {`