Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add steps to read and write TOML file #272

Merged
merged 2 commits into from
Oct 11, 2024
Merged

Add steps to read and write TOML file #272

merged 2 commits into from
Oct 11, 2024

Conversation

a1k0u
Copy link
Contributor

@a1k0u a1k0u commented Aug 27, 2024
edited
Loading

Add steps to work with TOML files/text. We are going to use these new steps to work with BuildKit configuration files in own pipeline/shared library. The realization is similar to JSON steps.

I chose com.fasterxml.jackson.dataformat.jackson-dataformat-toml, because this library implements the latest version of TOML specification (v1.0.0) and was recommended by official WIKI.

Testing done

Test cases are similar to JSON realization.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@a1k0u a1k0u changed the title feat(steps): add step to read and write toml file feat(steps): add step to read and write TOML file Aug 27, 2024
@a1k0u a1k0u marked this pull request as ready for review August 27, 2024 16:11
@a1k0u a1k0u requested a review from a team as a code owner August 27, 2024 16:11
@a1k0u
Copy link
Contributor Author

a1k0u commented Sep 19, 2024

@rsandell, hello! Can you review this PR, please? 🙏

rsandell
rsandell reviewed Sep 19, 2024
View reviewed changes
src/main/java/org/jenkinsci/plugins/pipeline/utility/steps/toml/ReadTOMLStepExecution.java
}

try (InputStream is = f.read()) {
toml = mapper.readValue(IOUtils.toString(is, StandardCharsets.UTF_8), Object.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not familiar with TOML, but the yaml read step has extra configuration in place to avoid mapping to complex objects for security reasons, for example to avoid loading a class with a vulnerable static initializer that could be utilized by a nefarious user. Is that a precaution that can be taken here as well?
The mapping to Object.class was reminding me of it and made me nervous :)

Copy link
Contributor Author

@a1k0u a1k0u Oct 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It took some time to get back to work on this pull request 😄

Thanks for review. I have understood the idea of CVE-2022-1471 vulnerability (I hope you mentioned exactly this problem)

TOML format is much easier than YAML. TOML operates with simple data structures which have already defined in the code. It is similar to SafeConstructor in SnakeYAML. So, no extra classes can be initialized during parsing

com.fasterxml.jackson.dataformat.toml package very small and simple, it delegates all work on tomlj and com.fasterxml.jackson.databind.ObjectMapper. This package extends ObjectMapper class with custom input/output decorators. Before mapping on the given structure (Object.class in this case, no one will be able to change the mapping class), it converts TOML to JSON (because TOML is just a map) and after that jackson packages work with the data as if it were a json file

@rsandell
Copy link
Member

Could you update https://github.com/jenkinsci/pipeline-utility-steps-plugin/blob/master/docs/STEPS.md as well please?

@rsandell rsandell changed the title feat(steps): add step to read and write TOML file Add steps to read and write TOML file Oct 11, 2024
@a1k0u
Copy link
Contributor Author

a1k0u commented Oct 11, 2024

@rsandell, thank you! I've updated STEPS.md

@rsandell
Copy link
Member

Thank you!

@rsandell rsandell merged commit 9f3563e into jenkinsci:master Oct 11, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rsandell rsandell rsandell approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@a1k0u @rsandell