Update warning message for --git-url and --zip-file lib install flags (#1088)

Author: silvanocerza

cli/lib/install.go

@@ -17,10 +17,13 @@ package lib
 
 import (
 	"context"
+	"fmt"
 	"os"
+	"strings"
 
 	"github.com/arduino/arduino-cli/cli/errorcodes"
 	"github.com/arduino/arduino-cli/cli/feedback"
+	"github.com/arduino/arduino-cli/cli/globals"
 	"github.com/arduino/arduino-cli/cli/instance"
 	"github.com/arduino/arduino-cli/cli/output"
 	"github.com/arduino/arduino-cli/commands/lib"
@@ -41,10 +44,8 @@ func initInstallCommand() *cobra.Command {
 		Run:  runInstallCommand,
 	}
 	installCommand.Flags().BoolVar(&installFlags.noDeps, "no-deps", false, "Do not install dependencies.")
-	if configuration.Settings.GetBool("library.enable_unsafe_install") {
-		installCommand.Flags().BoolVar(&installFlags.gitURL, "git-url", false, "Enter git url for libraries hosted on repositories")
-		installCommand.Flags().BoolVar(&installFlags.zipPath, "zip-path", false, "Enter a path to zip file")
-	}
+	installCommand.Flags().BoolVar(&installFlags.gitURL, "git-url", false, "Enter git url for libraries hosted on repositories")
+	installCommand.Flags().BoolVar(&installFlags.zipPath, "zip-path", false, "Enter a path to zip file")
 	return installCommand
 }
 
@@ -58,7 +59,16 @@ func runInstallCommand(cmd *cobra.Command, args []string) {
 	instance := instance.CreateInstanceIgnorePlatformIndexErrors()
 
 	if installFlags.zipPath || installFlags.gitURL {
-		feedback.Print("--git-url and --zip-path flags are dangerous, use it at your own risk.")
+		if !configuration.Settings.GetBool("library.enable_unsafe_install") {
+			documentationURL := "https://arduino.github.io/arduino-cli/latest/configuration/#configuration-keys"
+			if !strings.Contains(globals.VersionInfo.VersionString, "git") {
+				split := strings.Split(globals.VersionInfo.VersionString, ".")
+				documentationURL = fmt.Sprintf("https://arduino.github.io/arduino-cli/%s.%s/configuration/#configuration-keys", split[0], split[1])
+			}
+			feedback.Errorf("--git-url and --zip-path are disabled by default, for more information see: %v", documentationURL)
+			os.Exit(errorcodes.ErrGeneric)
+		}
+		feedback.Print("--git-url and --zip-path flags allow installing untrusted files, use it at your own risk.")
 	}
 
 	if installFlags.zipPath {

test/test_lib.py

@@ -173,13 +173,13 @@ def test_install_git_url_and_zip_path_flags_visibility(run_command, data_dir, do
     git_url = "https://github.com/arduino-libraries/WiFi101.git"
     res = run_command(f"lib install --git-url {git_url}")
     assert res.failed
-    assert "Error: unknown flag: --git-url" in res.stderr
+    assert "--git-url and --zip-path are disabled by default, for more information see:" in res.stderr
 
     assert run_command("lib download [email protected]")
     zip_path = Path(downloads_dir, "libraries", "AudioZero-1.0.0.zip")
     res = run_command(f"lib install --zip-path {zip_path}")
     assert res.failed
-    assert "Error: unknown flag: --zip-path" in res.stderr
+    assert "--git-url and --zip-path are disabled by default, for more information see:" in res.stderr
 
     env = {
         "ARDUINO_DATA_DIR": data_dir,
@@ -190,11 +190,11 @@ def test_install_git_url_and_zip_path_flags_visibility(run_command, data_dir, do
     # Verifies installation is successful when flags are enabled with env var
     res = run_command(f"lib install --git-url {git_url}", custom_env=env)
     assert res.ok
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
 
     res = run_command(f"lib install --zip-path {zip_path}", custom_env=env)
     assert res.ok
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
 
     # Uninstall libraries to install them again
     assert run_command("lib uninstall WiFi101 AudioZero")
@@ -204,11 +204,11 @@ def test_install_git_url_and_zip_path_flags_visibility(run_command, data_dir, do
 
     res = run_command(f"lib install --git-url {git_url}")
     assert res.ok
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
 
     res = run_command(f"lib install --zip-path {zip_path}")
     assert res.ok
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
 
 
 def test_install_with_git_url(run_command, data_dir, downloads_dir):
@@ -224,11 +224,11 @@ def test_install_with_git_url(run_command, data_dir, downloads_dir):
     # Test git-url library install
     res = run_command("lib install --git-url https://github.com/arduino-libraries/WiFi101.git")
     assert res.ok
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
 
     # Test failing-install as repository already exists
     res = run_command("lib install --git-url https://github.com/arduino-libraries/WiFi101.git")
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
     assert "Error installing Git Library: repository already exists" in res.stderr
 
 
@@ -249,7 +249,7 @@ def test_install_with_zip_path(run_command, data_dir, downloads_dir):
     # Test zip-path install
     res = run_command(f"lib install --zip-path {zip_path}")
     assert res.ok
-    assert "--git-url and --zip-path flags are dangerous, use it at your own risk." in res.stdout
+    assert "--git-url and --zip-path flags allow installing untrusted files, use it at your own risk." in res.stdout
 
 
 def test_update_index(run_command):