Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PUP-1172) Resolve Security cops 7.x #9171

Merged
merged 2 commits into from
Nov 27, 2023
Merged

(PUP-1172) Resolve Security cops 7.x #9171

merged 2 commits into from
Nov 27, 2023

Conversation

joshcooper
Copy link
Contributor

Backport #9159

@joshcooper
(PUP-11772) Resolve Security/Open
0b2adc0 
When opening a file path, use File.open

When opening a URL, use URI.parse(..).open

The Windows package class includes our Registry module which defines `open`. Use
the fully qualified name to avoid rubocop confusion.

(cherry picked from commit 283ba4c)
@joshcooper
(PUP-11772) Resolve Security/Eval
3e669ca 
Both actions and functions/data types already define arbitrary code and are
loaded from trusted locations, so using eval isn't any worse.

I updated the ActionBuilder to delegate specific methods to the action. For
example, if an action calls the DSL method `summary "something"`, then the
ActionBuilder will call the corresponding setter on the Action, e.g.
Action#summary = "something".

The Action code is bit more complicated because the arity of the block passed to
`when_invoked=` may be 0, positive or negative, depending on whether it accepts
optional arguments. Since we don't support Ruby 1.8 - 2.6, it could be improved
in the future to not call `eval`, but I didn't feel like bothering.

(cherry picked from commit 1e4316b)
@joshcooper joshcooper requested a review from a team as a code owner November 27, 2023 17:20
@joshcooper joshcooper mentioned this pull request Nov 27, 2023
Merged
@joshcooper joshcooper changed the title (PUP-1172) Resolve Security cops (PUP-1172) Resolve Security cops 7.x Nov 27, 2023
@mhashizume mhashizume merged commit 7e0a01a into puppetlabs:7.x Nov 27, 2023
11 checks passed
@joshcooper joshcooper added the maintenance Maintenance chores are excluded from changelogs label Nov 29, 2023
@joshcooper joshcooper deleted the rubocop_7x_security branch October 10, 2024 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhashizume mhashizume mhashizume approved these changes

Assignees
No one assigned
Labels
maintenance Maintenance chores are excluded from changelogs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joshcooper @mhashizume