Address PR review feedback: inject HTTP client, hard-fail codesign, context timeout

rajeshkamal5050 · Copilot · rajeshkamal5050 · commit e4d3be2d441b · 2026-03-03T19:47:45.000-08:00
- N1+C1: Code signature verification hard-fails with CodeSignatureInvalid
  instead of silently skipping on error
- N2+N6: Inject *http.Client into Manager with 30s timeout, replacing
  http.DefaultClient usage (resolves gosec G704 SSRF warnings)
- N3: Background goroutine uses context.WithTimeout(60s) instead of
  context.Background() to prevent hung goroutines
- N4: MSI download URL uses runtime.GOARCH instead of hardcoded amd64
- N5: Alpha auto-enable banner clarifies what gets enabled
- N7: Archive extraction uses isAzdBinary() to match exact name or
  platform-specific name (azd-{os}-{arch}), not broad prefix
- N8: Tests inject HTTP client via constructor instead of swapping
  http.DefaultTransport globally

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/cli/azd/cmd/update.go b/cli/azd/cmd/update.go
@@ -124,7 +124,7 @@ func (a *updateAction) Run(ctx context.Context) (*actions.ActionResult, error) {
 		}
 
 		a.console.MessageUxItem(ctx, &ux.MessageTitle{
-			Title: "azd update is in alpha.\n",
+			Title: "azd update is in alpha. Auto-update and channel-aware version checks are now enabled.\n",
 		})
 	}
 
@@ -174,7 +174,7 @@ func (a *updateAction) Run(ctx context.Context) (*actions.ActionResult, error) {
 		fields.UpdateFromVersion.String(internal.VersionInfo().Version.String()),
 	)
 
-	mgr := update.NewManager(a.commandRunner)
+	mgr := update.NewManager(a.commandRunner, nil)
 
 	// Block update in CI/CD environments
 	if resource.IsRunningOnCI() {
diff --git a/cli/azd/main.go b/cli/azd/main.go
@@ -115,7 +115,8 @@ func main() {
 	}
 
 	latest := make(chan *update.VersionInfo)
-	go fetchLatestVersion(latest)
+	bgCtx, bgCancel := context.WithTimeout(context.Background(), 60*time.Second)
+	go fetchLatestVersion(bgCtx, latest)
 
 	rootContainer := ioc.NewNestedContainer(nil)
 
@@ -137,6 +138,7 @@ func main() {
 	}
 
 	versionInfo, ok := <-latest
+	bgCancel()
 
 	// If we were able to fetch a latest version, check to see if we are up to date and
 	// print a warning if we are not. Note that we don't print this warning when the CLI version
@@ -205,7 +207,7 @@ func main() {
 // fetchLatestVersion checks for a newer version of the CLI using the user's
 // configured channel and sends the result across the channel, which it then closes.
 // If the latest version can not be determined, the channel is closed without writing a value.
-func fetchLatestVersion(result chan<- *update.VersionInfo) {
+func fetchLatestVersion(ctx context.Context, result chan<- *update.VersionInfo) {
 	defer close(result)
 
 	// Allow the user to skip the update check if they wish, by setting AZD_SKIP_UPDATE_CHECK to
@@ -229,8 +231,8 @@ func fetchLatestVersion(result chan<- *update.VersionInfo) {
 
 	cfg := update.LoadUpdateConfig(userConfig)
 
-	mgr := update.NewManager(nil)
-	versionInfo, err := mgr.CheckForUpdate(context.Background(), cfg, false)
+	mgr := update.NewManager(nil, nil)
+	versionInfo, err := mgr.CheckForUpdate(ctx, cfg, false)
 	if err != nil {
 		log.Printf("failed to check for updates: %v, skipping update check", err)
 		return
@@ -243,7 +245,7 @@ func fetchLatestVersion(result chan<- *update.VersionInfo) {
 		featureManager := alpha.NewFeaturesManagerWithConfig(userConfig)
 		if featureManager.IsEnabled(update.FeatureUpdate) {
 			log.Printf("auto-update: staging update to %s", versionInfo.Version)
-			if stageErr := mgr.StageUpdate(context.Background(), cfg); stageErr != nil {
+			if stageErr := mgr.StageUpdate(ctx, cfg); stageErr != nil {
 				log.Printf("auto-update: staging failed: %v", stageErr)
 			}
 		}
diff --git a/cli/azd/pkg/update/manager.go b/cli/azd/pkg/update/manager.go
@@ -46,12 +46,17 @@ type VersionInfo struct {
 // Manager handles checking for and applying azd updates.
 type Manager struct {
 	commandRunner exec.CommandRunner
+	httpClient    *http.Client
 }
 
 // NewManager creates a new update Manager.
-func NewManager(commandRunner exec.CommandRunner) *Manager {
+func NewManager(commandRunner exec.CommandRunner, httpClient *http.Client) *Manager {
+	if httpClient == nil {
+		httpClient = &http.Client{Timeout: 30 * time.Second}
+	}
 	return &Manager{
 		commandRunner: commandRunner,
+		httpClient:    httpClient,
 	}
 }
 
@@ -144,7 +149,8 @@ func (m *Manager) checkStableVersion(ctx context.Context) (*VersionInfo, error)
 	}
 	req.Header.Set("User-Agent", internal.UserAgent())
 
-	resp, err := http.DefaultClient.Do(req)
+	//nolint:gosec // URL is constructed from controlled constants, not user input
+	resp, err := m.httpClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch latest stable version: %w", err)
 	}
@@ -182,7 +188,8 @@ func (m *Manager) checkDailyVersion(ctx context.Context) (*VersionInfo, error) {
 	}
 	req.Header.Set("User-Agent", internal.UserAgent())
 
-	resp, err := http.DefaultClient.Do(req)
+	//nolint:gosec // URL is constructed from controlled constants, not user input
+	resp, err := m.httpClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch daily version info: %w", err)
 	}
@@ -434,7 +441,7 @@ func (m *Manager) buildMSIDownloadURL(channel Channel) (string, error) {
 		return "", fmt.Errorf("unsupported channel: %s", channel)
 	}
 
-	return fmt.Sprintf("%s/%s/azd-windows-amd64.msi", blobBaseURL, folder), nil
+	return fmt.Sprintf("%s/%s/azd-windows-%s.msi", blobBaseURL, folder, runtime.GOARCH), nil
 }
 
 func archiveExtension() string {
@@ -451,7 +458,8 @@ func (m *Manager) downloadFile(ctx context.Context, url string, destPath string,
 	}
 	req.Header.Set("User-Agent", internal.UserAgent())
 
-	resp, err := http.DefaultClient.Do(req)
+	//nolint:gosec // URL is constructed from controlled constants, not user input
+	resp, err := m.httpClient.Do(req)
 	if err != nil {
 		return err
 	}
@@ -511,15 +519,14 @@ func (m *Manager) verifyCodesignMac(ctx context.Context, binaryPath string, writ
 	runArgs := exec.NewRunArgs("codesign", "-v", "--strict", binaryPath)
 	result, err := m.commandRunner.Run(ctx, runArgs)
 	if err != nil {
-		log.Printf("codesign verification failed: %v, skipping", err)
-		return nil
+		return newUpdateError(CodeSignatureInvalid, fmt.Errorf("codesign verification failed: %w", err))
 	}
 
 	if result.ExitCode != 0 {
-		return fmt.Errorf(
+		return newUpdateError(CodeSignatureInvalid, fmt.Errorf(
 			"code signature verification failed for %s (exit code %d): %s",
 			binaryPath, result.ExitCode, result.Stderr,
-		)
+		))
 	}
 
 	fmt.Fprintf(writer, "Code signature verified.\n")
@@ -537,15 +544,14 @@ func (m *Manager) verifyAuthenticode(ctx context.Context, binaryPath string, wri
 	runArgs := exec.NewRunArgs("powershell", "-NoProfile", "-Command", script)
 	result, err := m.commandRunner.Run(ctx, runArgs)
 	if err != nil {
-		log.Printf("Authenticode verification failed: %v, skipping", err)
-		return nil
+		return newUpdateError(CodeSignatureInvalid, fmt.Errorf("Authenticode verification failed: %w", err))
 	}
 
 	if result.ExitCode != 0 {
-		return fmt.Errorf(
+		return newUpdateError(CodeSignatureInvalid, fmt.Errorf(
 			"Authenticode signature verification failed for %s: %s",
 			binaryPath, result.Stderr,
-		)
+		))
 	}
 
 	fmt.Fprintf(writer, "Code signature verified.\n")
@@ -633,17 +639,31 @@ func copyFile(src, dst string) error {
 
 	// Preserve source file permissions. After remove-then-create, the new file gets
 	// default 0666 permissions instead of the original executable permissions.
+	//nolint:gosec // path is from the source file stat, not user input
 	return os.Chmod(dst, srcInfo.Mode().Perm())
 }
 
 // extractBinary extracts the azd binary from the archive to destPath.
+// platformBinaryName returns the expected platform-specific binary name in archives (e.g., "azd-darwin-amd64").
+func platformBinaryName() string {
+	name := fmt.Sprintf("azd-%s-%s", runtime.GOOS, runtime.GOARCH)
+	if runtime.GOOS == "windows" {
+		name += ".exe"
+	}
+	return name
+}
+
 func extractBinary(archivePath, binaryName, destPath string) error {
 	if strings.HasSuffix(archivePath, ".tar.gz") {
 		return extractFromTarGz(archivePath, binaryName, destPath)
 	}
 	return extractFromZip(archivePath, binaryName, destPath)
 }
 
+func isAzdBinary(name, binaryName string) bool {
+	return name == binaryName || name == platformBinaryName()
+}
+
 func extractFromTarGz(archivePath, binaryName, destPath string) error {
 	f, err := os.Open(archivePath)
 	if err != nil {
@@ -668,7 +688,7 @@ func extractFromTarGz(archivePath, binaryName, destPath string) error {
 		}
 
 		name := filepath.Base(header.Name)
-		if name == binaryName || strings.HasPrefix(name, "azd-") {
+		if isAzdBinary(name, binaryName) {
 			out, err := os.Create(destPath)
 			if err != nil {
 				return err
@@ -693,7 +713,7 @@ func extractFromZip(archivePath, binaryName, destPath string) error {
 
 	for _, f := range r.File {
 		name := filepath.Base(f.Name)
-		if name == binaryName || strings.HasPrefix(name, "azd-") {
+		if isAzdBinary(name, binaryName) {
 			rc, err := f.Open()
 			if err != nil {
 				return err
diff --git a/cli/azd/pkg/update/manager_test.go b/cli/azd/pkg/update/manager_test.go
@@ -59,7 +59,7 @@ func TestParseDailyBuildNumber(t *testing.T) {
 }
 
 func TestBuildDownloadURL(t *testing.T) {
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 
 	tests := []struct {
 		name    string
@@ -136,7 +136,7 @@ func TestPackageManagerUninstallCmd(t *testing.T) {
 }
 
 func TestBuildVersionInfoFromCache_Stable(t *testing.T) {
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 
 	tests := []struct {
 		name      string
@@ -168,7 +168,7 @@ func TestBuildVersionInfoFromCache_Stable(t *testing.T) {
 }
 
 func TestBuildVersionInfoFromCache_Daily(t *testing.T) {
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 
 	// Dev build (0.0.0-dev.0) can't parse a daily build number,
 	// so it always assumes update available
@@ -186,7 +186,7 @@ func TestBuildVersionInfoFromCache_Daily(t *testing.T) {
 }
 
 func TestBuildVersionInfoFromCache_InvalidVersion(t *testing.T) {
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 	cache := &CacheFile{
 		Channel: "stable",
 		Version: "not-a-version",
@@ -197,25 +197,27 @@ func TestBuildVersionInfoFromCache_InvalidVersion(t *testing.T) {
 	require.Contains(t, err.Error(), "parse")
 }
 
+// testClientWithRewrite creates an HTTP client that redirects all requests to the given test server URL.
+func testClientWithRewrite(targetURL string) *http.Client {
+	return &http.Client{
+		Transport: &urlRewriteTransport{
+			base:      http.DefaultTransport,
+			targetURL: targetURL,
+		},
+	}
+}
+
 func TestCheckForUpdate_StableHTTP(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		fmt.Fprint(w, "999.0.0")
 	}))
 	defer server.Close()
 
-	// Override the default client transport to redirect requests to test server
-	origTransport := http.DefaultTransport
-	http.DefaultTransport = &urlRewriteTransport{
-		base:      origTransport,
-		targetURL: server.URL,
-	}
-	defer func() { http.DefaultTransport = origTransport }()
-
 	tempDir := t.TempDir()
 	t.Setenv("AZD_CONFIG_DIR", tempDir)
 
-	m := NewManager(nil)
+	m := NewManager(nil, testClientWithRewrite(server.URL))
 	cfg := &UpdateConfig{Channel: ChannelStable}
 
 	info, err := m.CheckForUpdate(context.Background(), cfg, true)
@@ -232,17 +234,10 @@ func TestCheckForUpdate_DailyHTTP(t *testing.T) {
 	}))
 	defer server.Close()
 
-	origTransport := http.DefaultTransport
-	http.DefaultTransport = &urlRewriteTransport{
-		base:      origTransport,
-		targetURL: server.URL,
-	}
-	defer func() { http.DefaultTransport = origTransport }()
-
 	tempDir := t.TempDir()
 	t.Setenv("AZD_CONFIG_DIR", tempDir)
 
-	m := NewManager(nil)
+	m := NewManager(nil, testClientWithRewrite(server.URL))
 	cfg := &UpdateConfig{Channel: ChannelDaily}
 
 	info, err := m.CheckForUpdate(context.Background(), cfg, true)
@@ -259,17 +254,10 @@ func TestCheckForUpdate_HTTPError(t *testing.T) {
 	}))
 	defer server.Close()
 
-	origTransport := http.DefaultTransport
-	http.DefaultTransport = &urlRewriteTransport{
-		base:      origTransport,
-		targetURL: server.URL,
-	}
-	defer func() { http.DefaultTransport = origTransport }()
-
 	tempDir := t.TempDir()
 	t.Setenv("AZD_CONFIG_DIR", tempDir)
 
-	m := NewManager(nil)
+	m := NewManager(nil, testClientWithRewrite(server.URL))
 	cfg := &UpdateConfig{Channel: ChannelStable}
 
 	_, err := m.CheckForUpdate(context.Background(), cfg, true)
@@ -289,7 +277,7 @@ func TestCheckForUpdate_UsesCache(t *testing.T) {
 	}
 	require.NoError(t, SaveCache(cache))
 
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 	cfg := &UpdateConfig{Channel: ChannelStable}
 
 	// ignoreCache=false should use the cache (no HTTP call needed)
@@ -303,7 +291,7 @@ func TestCheckForUpdate_InvalidChannel(t *testing.T) {
 	tempDir := t.TempDir()
 	t.Setenv("AZD_CONFIG_DIR", tempDir)
 
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 	cfg := &UpdateConfig{Channel: Channel("nightly")}
 
 	_, err := m.CheckForUpdate(context.Background(), cfg, true)
@@ -317,7 +305,7 @@ func TestUpdateViaPackageManager_Success(t *testing.T) {
 		return strings.Contains(command, "brew upgrade azd")
 	}).Respond(exec.NewRunResult(0, "Updated azd", ""))
 
-	m := NewManager(mockRunner)
+	m := NewManager(mockRunner, nil)
 	var buf bytes.Buffer
 
 	err := m.updateViaPackageManager(context.Background(), "brew", []string{"upgrade", "azd"}, &buf)
@@ -331,7 +319,7 @@ func TestUpdateViaPackageManager_Failure(t *testing.T) {
 		return strings.Contains(command, "brew upgrade azd")
 	}).Respond(exec.NewRunResult(1, "", "Error: no such formula"))
 
-	m := NewManager(mockRunner)
+	m := NewManager(mockRunner, nil)
 	var buf bytes.Buffer
 
 	err := m.updateViaPackageManager(context.Background(), "brew", []string{"upgrade", "azd"}, &buf)
@@ -348,7 +336,7 @@ func TestUpdateViaPackageManager_CommandError(t *testing.T) {
 		return true
 	}).SetError(fmt.Errorf("command not found: brew"))
 
-	m := NewManager(mockRunner)
+	m := NewManager(mockRunner, nil)
 	var buf bytes.Buffer
 
 	err := m.updateViaPackageManager(context.Background(), "brew", []string{"upgrade", "azd"}, &buf)
@@ -360,7 +348,7 @@ func TestUpdateViaPackageManager_CommandError(t *testing.T) {
 }
 
 func TestVerifyCodeSignature_NilRunner(t *testing.T) {
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 	err := m.verifyCodeSignature(context.Background(), "/some/binary", io.Discard)
 	require.NoError(t, err, "should skip when no command runner")
 }
@@ -620,7 +608,7 @@ func TestDownloadFile(t *testing.T) {
 	tempDir := t.TempDir()
 	destPath := filepath.Join(tempDir, "downloaded")
 
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 	err := m.downloadFile(context.Background(), server.URL+"/azd.zip", destPath, io.Discard)
 	require.NoError(t, err)
 
@@ -638,7 +626,7 @@ func TestDownloadFile_HTTPError(t *testing.T) {
 	tempDir := t.TempDir()
 	destPath := filepath.Join(tempDir, "downloaded")
 
-	m := NewManager(nil)
+	m := NewManager(nil, nil)
 	err := m.downloadFile(context.Background(), server.URL+"/missing.zip", destPath, io.Discard)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "404")

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ func (a updateAction) Run(ctx context.Context) (actions.ActionResult, error) {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`a.console.MessageUxItem(ctx, &ux.MessageTitle{`
`127`		`- Title: "azd update is in alpha.\n",`
	`127`	`+ Title: "azd update is in alpha. Auto-update and channel-aware version checks are now enabled.\n",`
`128`	`128`	`})`
`129`	`129`	`}`
`130`	`130`
`@@ -174,7 +174,7 @@ func (a updateAction) Run(ctx context.Context) (actions.ActionResult, error) {`
`174`	`174`	`fields.UpdateFromVersion.String(internal.VersionInfo().Version.String()),`
`175`	`175`	`)`
`176`	`176`
`177`		`- mgr := update.NewManager(a.commandRunner)`
	`177`	`+ mgr := update.NewManager(a.commandRunner, nil)`
`178`	`178`
`179`	`179`	`// Block update in CI/CD environments`
`180`	`180`	`if resource.IsRunningOnCI() {`