Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PUP-11772) Resolve Security cops main #9159

Merged
merged 2 commits into from
Nov 27, 2023
Merged

(PUP-11772) Resolve Security cops main #9159

merged 2 commits into from
Nov 27, 2023

Conversation

joshcooper
Copy link
Contributor

No description provided.

@joshcooper joshcooper requested a review from a team as a code owner November 21, 2023 03:28
@joshcooper
(PUP-11772) Resolve Security/Open
283ba4c 
When opening a file path, use File.open

When opening a URL, use URI.parse(..).open

The Windows package class includes our Registry module which defines `open`. Use
the fully qualified name to avoid rubocop confusion.
@joshcooper
(PUP-11772) Resolve Security/Eval
1e4316b 
Both actions and functions/data types already define arbitrary code and are
loaded from trusted locations, so using eval isn't any worse.

I updated the ActionBuilder to delegate specific methods to the action. For
example, if an action calls the DSL method `summary "something"`, then the
ActionBuilder will call the corresponding setter on the Action, e.g.
Action#summary = "something".

The Action code is bit more complicated because the arity of the block passed to
`when_invoked=` may be 0, positive or negative, depending on whether it accepts
optional arguments. Since we don't support Ruby 1.8 - 2.6, it could be improved
in the future to not call `eval`, but I didn't feel like bothering.
@joshcooper joshcooper added the maintenance Maintenance chores are excluded from changelogs label Nov 21, 2023
mhashizume
mhashizume approved these changes Nov 27, 2023
View reviewed changes
Copy link
Contributor

@mhashizume mhashizume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to backport these changes to 7.x as well?

@joshcooper joshcooper mentioned this pull request Nov 27, 2023
Merged
@joshcooper
Copy link
Contributor Author

@mhashizume I submitted #9171

@joshcooper joshcooper changed the title (PUP-11772) Resolve Security cops (PUP-11772) Resolve Security cops 7.x Nov 27, 2023
@joshcooper joshcooper changed the title (PUP-11772) Resolve Security cops 7.x (PUP-11772) Resolve Security cops main Nov 27, 2023
@mhashizume mhashizume merged commit bc32a27 into puppetlabs:main Nov 27, 2023
9 checks passed
@joshcooper joshcooper added the backport 7.x Generate a backport PR to 7.x label Dec 2, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 2, 2023

Backport failed for 7.x, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin 7.x
git worktree add -d .worktree/backport-9159-to-7.x origin/7.x
cd .worktree/backport-9159-to-7.x
git checkout -b backport-9159-to-7.x
ancref=$(git merge-base bfc08f9d0df3b52a21759b6a82698f15ae15e247 1e4316be886ed2c2629f7da5d6110c148a7ff222)
git cherry-pick -x $ancref..1e4316be886ed2c2629f7da5d6110c148a7ff222

@joshcooper joshcooper deleted the rubocop_main_security branch December 2, 2023 00:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhashizume mhashizume mhashizume approved these changes

Assignees
No one assigned
Labels
backport 7.x Generate a backport PR to 7.x maintenance Maintenance chores are excluded from changelogs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joshcooper @mhashizume