puppet-lint-check_unsafe_interpolations 0.0.4 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7030c967d7f3f39c1829abe1d620bd93c22e556e0ff9238e2197ef65c3faba27
-  data.tar.gz: 6b7397d25a2e92fee44bae25c3b3386b66468d7adf7c6c51f1a3044ae8db00ea
+  metadata.gz: 06bfbbbb77295091db599b90f1f6052b98b96e5b3d0d5ab3dc77526527739d56
+  data.tar.gz: e5861ad1c3ce71eef31c619fe6ec00f4edbd58df53741ec9c6e302516276d1bc
 SHA512:
-  metadata.gz: c91e94e645dae141e93b74324f16c88a4ede801d56e1f501e994500d99ebc4ae418f9c25107c081d513ca23db3040455de97915f7c753bb00ae1481419fd6493
-  data.tar.gz: 93f689e32e264b4aa107a9986d1f17692bd55ec34863263f73cdc642b02d6eff894cedd10bbf8dbf554ca66b1b2e0a636ae1bbb047bbb22dc56ffa799f5bf7f7
+  metadata.gz: 3fff01f49a697082783b3ea9b6eab8fe92c26e10ddbe8c981eaac0dce1d733166903201f8f7ee438401453fd0096e2c571d5dabd9a5da12163d6a08cec5c306c
+  data.tar.gz: 0fe2a37dda1149d9396371c0eff81048845253cbb94b7badfd91c25c0496b5e10a3240a653b5fe494cba74a16002569b7df6292f936b7f34c8b1bebb240d0ecc

data/lib/puppet-lint/plugins/check_unsafe_interpolations.rb

@@ -22,10 +22,10 @@ PuppetLint.new_check(:check_unsafe_interpolations) do
     end
   end
 
-  # Iterate over the tokens in a title and raise a warning if an interpolated variable is found
+  # Iterate over the tokens in a title and raise a warning if an unsafe interpolated variable is found
   def check_unsafe_title(title)
     title.each do |token|
-      notify_warning(token.next_code_token) if interpolated?(token)
+      notify_warning(token.next_code_token) if unsafe_interpolated?(token)
     end
   end
 
@@ -33,7 +33,7 @@ PuppetLint.new_check(:check_unsafe_interpolations) do
   def check_unsafe_interpolations(command_resources)
     command_resources[:tokens].each do |token|
       # Skip iteration if token isn't a command of type :NAME
-      next unless COMMANDS.include?(token.value) && token.type == :NAME
+      next unless COMMANDS.include?(token.value) && (token.type == :NAME || token.type == :UNLESS)
       # Don't check the command if it is parameterised
       next if parameterised?(token)
 
@@ -60,7 +60,7 @@ PuppetLint.new_check(:check_unsafe_interpolations) do
     # Iterate through tokens in command
     while current_token.type != :NEWLINE
       # Check if token is a varibale and if it is parameterised
-      rule_violations.append(current_token.next_code_token) if interpolated?(current_token)
+      rule_violations.append(current_token.next_code_token) if unsafe_interpolated?(current_token)
       current_token = current_token.next_token
     end
 
@@ -78,7 +78,7 @@ PuppetLint.new_check(:check_unsafe_interpolations) do
   end
 
   # This function is a replacement for puppet_lint's title_tokens function which assumes titles have single quotes
-  # This function adds a check for titles in double quotes where there could be interpolated variables
+  # This function adds a check for titles in double quotes where there could be unsafe interpolated variables
   def get_exec_titles
     result = []
     tokens.each_index do |token_idx|
@@ -100,8 +100,8 @@ PuppetLint.new_check(:check_unsafe_interpolations) do
       # Check if title is double quotes string
       elsif tokens[token_idx].next_code_token.next_code_token.type == :DQPRE
         # Find the start and end of the title
-        title_start_idx = tokens.rindex { |r| r.type == :DQPRE }
-        title_end_idx = tokens.rindex { |r| r.type == :DQPOST }
+        title_start_idx = tokens.find_index(tokens[token_idx].next_code_token.next_code_token)
+        title_end_idx = title_start_idx + index_offset_for(':', tokens[title_start_idx..tokens.length])
 
         result << tokens[title_start_idx..title_end_idx]
       # Title is in single quotes
@@ -114,7 +114,60 @@ PuppetLint.new_check(:check_unsafe_interpolations) do
     result
   end
 
-  def interpolated?(token)
-    INTERPOLATED_STRINGS.include?(token.type)
+  def find_closing_brack(token)
+    while (token = token.next_code_token)
+      case token.type
+      when :RBRACK
+        return token
+      when :LBRACK
+        token = find_closing_brack(token)
+      end
+    end
+    raise 'not reached'
+  end
+
+  def find_closing_paren(token)
+    while (token = token.next_code_token)
+      case token.type
+      when :RPAREN
+        return token
+      when :LPAREN
+        token = find_closing_paren(token)
+      end
+    end
+    raise 'not reached'
+  end
+
+  def unsafe_interpolated?(token)
+    # XXX: Since stdlib 9.0.0 'shell_escape' is deprecated in favor or 'stdlib::shell_escape'
+    # When the shell_escape function is removed from stdlib, we want to remove it bellow.
+    return false unless INTERPOLATED_STRINGS.include?(token.type)
+
+    token = token.next_code_token
+
+    if token.type == :FUNCTION_NAME && ['shell_escape', 'stdlib::shell_escape'].include?(token.value)
+      token = token.next_code_token
+      token = find_closing_paren(token).next_code_token if token.type == :LPAREN
+      return ![:DQPOST, :DQMID].include?(token.type)
+    elsif token.type == :VARIABLE
+      token = token.next_code_token
+      token = find_closing_brack(token).next_code_token if token.type == :LBRACK
+      if token.type == :DOT && [:NAME, :FUNCTION_NAME].include?(token.next_code_token.type) && ['shell_escape', 'stdlib::shell_escape'].include?(token.next_code_token.value)
+        token = token.next_code_token.next_code_token
+        token = find_closing_paren(token).next_code_token if token.type == :LPAREN
+        return ![:DQPOST, :DQMID].include?(token.type)
+      end
+    end
+
+    true
+  end
+
+  # Finds the index offset of the next instance of `value` in `tokens_slice` from the original index
+  def index_offset_for(value, tokens_slice)
+    i = 0
+    while i < tokens_slice.length
+      return i if value.include?(tokens_slice[i].value)
+      i += 1
+    end
   end
 end

data/lib/puppet-lint/plugins/version.rb

@@ -1,4 +1,4 @@
 # version of this gem
 class CheckUnsafeInterpolations
-  VERSION ||= '0.0.4'.freeze
+  VERSION ||= '0.0.5'.freeze
 end

data/spec/puppet-lint/plugins/check_unsafe_interpolations_spec.rb

@@ -33,6 +33,8 @@ describe 'check_unsafe_interpolations' do
 
           exec { 'bar':
             command => "echo ${foo} ${bar}",
+            onlyif  => "${baz}",
+            unless  => "${bazz}",
           }
 
         }
@@ -40,12 +42,14 @@ describe 'check_unsafe_interpolations' do
       end
 
       it 'detects multiple unsafe exec command arguments' do
-        expect(problems).to have(2).problems
+        expect(problems).to have(4).problems
       end
 
       it 'creates two warnings' do
         expect(problems).to contain_warning(msg)
-        expect(problems).to contain_warning(msg)
+        expect(problems).to contain_warning("unsafe interpolation of variable 'bar' in exec command")
+        expect(problems).to contain_warning("unsafe interpolation of variable 'baz' in exec command")
+        expect(problems).to contain_warning("unsafe interpolation of variable 'bazz' in exec command")
       end
     end
 
@@ -87,6 +91,44 @@ describe 'check_unsafe_interpolations' do
       end
     end
 
+    context 'exec with shell escaped string in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo ${foo.stdlib::shell_escape} ${bar.stdlib::shell_escape()}",
+            onlyif  => "${bar[1].stdlib::shell_escape}",
+            unless  => "[ -x ${stdlib::shell_escape(reticulate($baz))} ]",
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'exec with post-processed shell escaped string in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo ${reticulate(foo.stdlib::shell_escape)} ${bar.stdlib::shell_escape().reticulate}",
+            onlyif  => "${bar[1].stdlib::shell_escape.reticulate()}",
+            unless  => "[ -x ${reticulate(stdlib::shell_escape($baz))} ]",
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(4).problems
+      end
+    end
+
     context 'exec that has an array of args in command' do
       let(:code) do
         <<-PUPPET

data/spec/spec_helper.rb

@@ -1,3 +1,4 @@
 require 'puppet-lint'
+require 'rspec/collection_matchers'
 
 PuppetLint::Plugins.load_spec_helper

metadata

@@ -1,35 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: puppet-lint-check_unsafe_interpolations
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-12 00:00:00.000000000 Z
+date: 2024-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: puppet-lint
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.0'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '4.0'
 description: "    A puppet-lint plugin to check for unsafe interpolations.\n"
 email: 
 executables: []