Fix safe interpolation detection #48
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The rspec-collection_matchers documentation advise to require rspec-collection_matchers form `spec_helper.rb`. This fix: ``` Failure/Error: expect(problems).to have(1).problems NoMethodError: undefined method `have' for #<RSpec::ExampleGroups::CheckUnsafeInterpolations::WithFixDisabled::ExecWithUnsafeInterpolationInCommand "detects an unsafe exec command argument" (./spec/puppet-lint/plugins/check_unsafe_interpolations_spec.rb:20)> ```
We produce 2 errors in this example. We don't want to check that the first one is present twice: we want to check that each warning is present once.
These commands are supposed to be supported, but they are not tested, so add tests to demonstrate that they work as intended.
When using the `unless` parameter of an `exec` resource with unsafe string interpolation, the linter should warn about the issue. It happen that it currently doesn't because unless is also a keyword. Adjust the linter to cope with this.
smortex
force-pushed
the
fix-safe-interpolation-detection
branch
from
72ead66 to
607323b
Compare
Any variable interpolation is currently reported as unsafe. The stdlib feature a `stdlib::shell_escape()` function (formerly `shell_escape()`) that escape the string passed as parameter. In such a case, an unsafe interpolation should not be detected. Add detection of such escaped string and do not report an error in this case. `stdlib::shell_escape()` must be the last function called in the interpolation for it to not be reported as unsafe.
smortex
force-pushed
the
fix-safe-interpolation-detection
branch
from
607323b to
80a991d
Compare
|
@smortex We are happy to merge this in, but we will not be able to add it into the default templates until such time as auto correct functionality for it has been added. Thanks for putting in the work :) |
david22swan
approved these changes
Apr 26, 2024
You mean into the PDK templates? I am not sure we can reliably auto-fix these issues as what has to be done is quite different from one context to another, and shell_espacing all variables will often work but sometimes completely break the code. Yet this module is very valuable to find issues in code. Do you think we can do a new release to integrate this change? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Any variable interpolation is currently reported as unsafe.
The stdlib feature a
stdlib::shell_escape()function (formerlyshell_escape()) that escape the string passed as parameter. In such a case, an unsafe interpolation should not be detected.Add detection of such escaped string and do not report an error in this case.
stdlib::shell_escape()must be the last function called in the interpolation for it to not be reported as unsafe.Fixes #39
Also include:
unlessparameter #47