puppet-lint 4.0.0 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7cd6dad7a05e7eefb19f4c9efedc5815b1f83376a77def6fd54b321945c520c
-  data.tar.gz: d82288ffc965a3f001269abdb42efe6bb71041575b1106e3331b4a70f2a0fe84
+  metadata.gz: 3953f32f31f48881c186abdd6a5ce57c2debaf28d24afc4b207a2a84a2065ccf
+  data.tar.gz: 60730e1ecb6cbf54f72f23bbb96769d181b9132a2fb756bdc858949e953d3467
 SHA512:
-  metadata.gz: b1571f76174d7afaca3da45f692b681aedb4e99a52563c3f3a0171d6db9bbddb9c409f5f21223fbfe249b7254f2d41edb01331b9c154afafb35572f3fdff7e7c
-  data.tar.gz: e594e8917a7ce55bab177449d1a6db41454dbbaacb37eb4a4f1b0ec9a8cf4e82f5ee023d112ca629d83bceceaba413d281d242f45388207a4c707e7380afc3ab
+  metadata.gz: 2421fd601c8e371f8bcfa8ffff3f5f9674fa1334d7ced66e1c0bd4a376c8365822f57b11a6d3ad80e134ea2b6faf6c20281e3497715b34c3c22db163e424cb2e
+  data.tar.gz: 5ab8e9650e45521eb84ea8c8f89d0970c90f919bd51e82dc6be73fc5a2b0944875673a16058ad0894288730358772ef82f07540a8ac0230bdb32aa5727abab46

data/lib/puppet-lint/lexer/token.rb

@@ -30,7 +30,7 @@ class PuppetLint::Lexer
     # etc) in the manifest.
     attr_accessor :next_code_token
 
-    # Public: Gets/sets the previous code tokne (skips whitespace,
+    # Public: Gets/sets the previous code token (skips whitespace,
     # comments, etc) in the manifest.
     attr_accessor :prev_code_token
 

data/lib/puppet-lint/plugins/check_classes/parameter_order.rb

@@ -37,7 +37,7 @@ PuppetLint.new_check(:parameter_order) do
           column: token.column,
           description: 'Test the manifest tokens for any parameterised classes or defined types that take ' \
                        'parameters and record a warning if there are any optional parameters listed before required parameters.',
-          help_uri: 'https://puppet.com/docs/puppet/latest/style_guide.html#display-order-of-parameters',
+          help_uri: 'https://puppet.com/docs/puppet/latest/style_guide.html#params-display-order',
         )
       end
     end
@@ -48,17 +48,15 @@ PuppetLint.new_check(:parameter_order) do
     return false unless token.prev_code_token
 
     [
-      :LPAREN, # First parameter, no type specification
-      :COMMA,  # Subsequent parameter, no type specification
-      :TYPE,   # Parameter with simple type specification
-      :RBRACK, # Parameter with complex type specification
+      :LPAREN,   # First parameter, no type specification
+      :COMMA,    # Subsequent parameter, no type specification
+      :TYPE,     # Parameter with simple type specification
+      :RBRACK,   # Parameter with complex type specification
+      :CLASSREF, # Parameter with custom type specification
     ].include?(token.prev_code_token.type)
   end
 
   def required_parameter?(token)
-    data_type = token.prev_token_of(:TYPE, skip_blocks: true)
-    return false if data_type && data_type.value == 'Optional'
-
     return !(token.prev_code_token && token.prev_code_token.type == :EQUALS) if token.next_code_token.nil? || [:COMMA, :RPAREN].include?(token.next_code_token.type)
 
     false

data/lib/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations.rb

@@ -0,0 +1,130 @@
+COMMANDS = Array['command', 'onlyif', 'unless']
+INTERPOLATED_STRINGS = Array[:DQPRE, :DQMID]
+USELESS_CHARS = Array[:WHITESPACE, :COMMA]
+
+PuppetLint.new_check(:check_unsafe_interpolations) do
+  def check
+    # Gather any exec commands' resources into an array
+    exec_resources = resource_indexes.filter_map do |resource|
+      resource_parameters = resource[:param_tokens].map(&:value)
+      resource if resource[:type].value == 'exec' && !(COMMANDS & resource_parameters).empty?
+    end
+
+    # Iterate over title tokens and raise a warning if any are variables
+    unless get_exec_titles.empty?
+      get_exec_titles.each do |title|
+        check_unsafe_title(title)
+      end
+    end
+
+    # Iterate over each command found in any exec
+    exec_resources.each do |command_resources|
+      check_unsafe_interpolations(command_resources)
+    end
+  end
+
+  # Iterate over the tokens in a title and raise a warning if an interpolated variable is found
+  def check_unsafe_title(title)
+    title.each do |token|
+      notify_warning(token.next_code_token) if interpolated?(token)
+    end
+  end
+
+  # Iterates over an exec resource and if a command, onlyif or unless paramter is found, it is checked for unsafe interpolations
+  def check_unsafe_interpolations(command_resources)
+    command_resources[:tokens].each do |token|
+      # Skip iteration if token isn't a command of type :NAME
+      next unless COMMANDS.include?(token.value) && token.type == :NAME
+      # Don't check the command if it is parameterised
+      next if parameterised?(token)
+
+      check_command(token).each do |t|
+        notify_warning(t)
+      end
+    end
+  end
+
+  # Raises a warning given a token and message
+  def notify_warning(token)
+    notify :warning,
+           message: "unsafe interpolation of variable '#{token.value}' in exec command",
+           line: token.line,
+           column: token.column
+  end
+
+  # Iterates over the tokens in a command and adds it to an array of violations if it is an input variable
+  def check_command(token)
+    # Initialise variables needed in while loop
+    rule_violations = []
+    current_token = token
+
+    # Iterate through tokens in command
+    while current_token.type != :NEWLINE
+      # Check if token is a varibale and if it is parameterised
+      rule_violations.append(current_token.next_code_token) if interpolated?(current_token)
+      current_token = current_token.next_token
+    end
+
+    rule_violations
+  end
+
+  # A command is parameterised if its args are placed in an array
+  # This function checks if the current token is a :FARROW and if so, if it is followed by an LBRACK
+  def parameterised?(token)
+    current_token = token
+    while current_token.type != :NEWLINE
+      return true if current_token.type == :FARROW && current_token.next_token.next_token.type == :LBRACK
+
+      current_token = current_token.next_token
+    end
+  end
+
+  # This function is a replacement for puppet_lint's title_tokens function which assumes titles have single quotes
+  # This function adds a check for titles in double quotes where there could be interpolated variables
+  def get_exec_titles
+    result = []
+    tokens.each_with_index do |_token, token_idx|
+      next if tokens[token_idx].value != 'exec'
+
+      # We have a resource declaration. Now find the title
+      tokens_array = []
+      # Check if title is an array
+      if tokens[token_idx]&.next_code_token&.next_code_token&.type == :LBRACK
+        # Get the start and end indices of the array of titles
+        array_start_idx = tokens.rindex { |r| r.type == :LBRACK }
+        array_end_idx = tokens.rindex { |r| r.type == :RBRACK }
+
+        # Grab everything within the array
+        title_array_tokens = tokens[(array_start_idx + 1)..(array_end_idx - 1)]
+        tokens_array.concat(title_array_tokens.reject do |token|
+          USELESS_CHARS.include?(token.type)
+        end)
+        result << tokens_array
+      # Check if title is double quotes string
+      elsif tokens[token_idx].next_code_token.next_code_token.type == :DQPRE
+        # Find the start and end of the title
+        title_start_idx = tokens.find_index(tokens[token_idx].next_code_token.next_code_token)
+        title_end_idx = title_start_idx + index_offset_for(':', tokens[title_start_idx..tokens.length])
+
+        result << tokens[title_start_idx..title_end_idx]
+      # Title is in single quotes
+      else
+        tokens_array.concat([tokens[token_idx].next_code_token.next_code_token])
+
+        result << tokens_array
+      end
+    end
+    result
+  end
+
+  def interpolated?(token)
+    INTERPOLATED_STRINGS.include?(token.type)
+  end
+
+  # Finds the index offset of the next instance of `value` in `tokens_slice` from the original index
+  def index_offset_for(value, tokens_slice)
+    tokens_slice.each_with_index do |token, i|
+      return i if value.include?(token.value)
+    end
+  end
+end

data/lib/puppet-lint/plugins/legacy_facts/legacy_facts.rb

@@ -115,14 +115,9 @@ PuppetLint.new_check(:legacy_facts) do
     tokens.select { |x| LEGACY_FACTS_VAR_TYPES.include?(x.type) }.each do |token|
       fact_name = ''
 
-      # This matches legacy facts defined in the fact hash that use the top scope
-      # fact assignment.
-      if token.value.start_with?('::facts[')
-        fact_name = token.value.match(%r{::facts\['(.*)'\]})[1]
-
       # This matches legacy facts defined in the fact hash.
-      elsif token.value.start_with?("facts['")
-        fact_name = token.value.match(%r{facts\['(.*)'\]})[1]
+      if (match = (token.value.match(%r{(::)?facts\['(.*)'\]}) || token.value.match(%r{(::)?facts\[(.*)\]})))
+        fact_name = match[2]
 
       # This matches using legacy facts in a the new structured fact. For
       # example this would match 'uuid' in $facts['uuid'] so it can be converted

data/lib/puppet-lint/plugins/top_scope_facts/top_scope_facts.rb

@@ -17,7 +17,17 @@ TOP_SCOPE_FACTS_VAR_TYPES = Set[:VARIABLE, :UNENC_VARIABLE]
 
 PuppetLint.new_check(:top_scope_facts) do
   def check
-    whitelist = ['trusted', 'facts'] + (PuppetLint.configuration.top_scope_variables || [])
+    whitelist = ['trusted', 'facts', 'architecture', 'augeasversion', 'bios_release_date', 'bios_vendor', 'bios_version',
+                 'boardassettag', 'boardmanufacturer', 'boardproductname', 'boardserialnumber', 'chassisassettag', 'chassistype', 'domain',
+                 'fqdn', 'gid', 'hardwareisa', 'hardwaremodel', 'hostname', 'id', 'ipaddress', 'ipaddress6', 'lsbdistcodename',
+                 'lsbdistdescription', 'lsbdistid', 'lsbdistrelease', 'lsbmajdistrelease', 'lsbminordistrelease', 'lsbrelease',
+                 'macaddress', 'macosx_buildversion', 'macosx_productname', 'macosx_productversion', 'macosx_productversion_major',
+                 'macosx_productversion_minor', 'manufacturer', 'memoryfree', 'memorysize', 'netmask', 'netmask6', 'network', 'network6',
+                 'operatingsystem', 'operatingsystemmajrelease', 'operatingsystemrelease', 'osfamily', 'physicalprocessorcount',
+                 'processorcount', 'productname', 'rubyplatform', 'rubysitedir', 'rubyversion', 'selinux', 'selinux_config_mode',
+                 'selinux_config_policy', 'selinux_current_mode', 'selinux_enforced', 'selinux_policyversion', 'serialnumber',
+                 'swapencrypted', 'swapfree', 'swapsize', 'system32', 'uptime', 'uptime_days', 'uptime_hours', 'uptime_seconds',
+                 'uuid', 'xendomains', 'zonename'] + (PuppetLint.configuration.top_scope_variables || [])
     whitelist = whitelist.join('|')
     tokens.select { |x| TOP_SCOPE_FACTS_VAR_TYPES.include?(x.type) }.each do |token|
       next unless %r{^::}.match?(token.value)

data/lib/puppet-lint/version.rb

@@ -1,3 +1,3 @@
 class PuppetLint
-  VERSION = '4.0.0'.freeze
+  VERSION = '4.1.0'.freeze
 end

data/spec/fixtures/test/reports/code_climate.json

@@ -33,6 +33,6 @@
       }
     },
     "fingerprint": "e34cf289e008446b633d1be7cf58120e",
-    "content": "Test the manifest tokens for any parameterised classes or defined types that take parameters and record a warning if there are any optional parameters listed before required parameters. See [this page](https://puppet.com/docs/puppet/latest/style_guide.html#display-order-of-parameters) for more information about the `parameter_order` check."
+    "content": "Test the manifest tokens for any parameterised classes or defined types that take parameters and record a warning if there are any optional parameters listed before required parameters. See [this page](https://puppet.com/docs/puppet/latest/style_guide.html#params-display-order) for more information about the `parameter_order` check."
   }
 ]

data/spec/unit/puppet-lint/plugins/check_classes/parameter_order_spec.rb

@@ -135,19 +135,6 @@ describe 'parameter_order' do
       it { expect(problems).to have(0).problem }
     end
 
-    context "#{type} parameter with Optional data type" do
-      let(:code) do
-        <<-END
-          #{type} test(
-            String $test = 'value',
-            Optional[String] $optional,
-          ) { }
-        END
-      end
-
-      it { expect(problems).to have(0).problems }
-    end
-
     context "#{type} parameter with array operation" do
       let(:code) do
         <<-END
@@ -165,5 +152,72 @@ describe 'parameter_order' do
 
       it { expect(problems).to have(0).problems }
     end
+
+    context "#{type} parameters of Optional type are just regular parameters" do
+      let(:code) do
+        <<-END
+          #{type} test (
+            String $param1 = '',
+            Optional[Boolean] $param2,
+          ) { }
+        END
+      end
+
+      it { expect(problems).to have(1).problems }
+    end
+
+    [['Custom::Type1', 'Custom::Type2'], ['Custom::Type1', 'String'], ['String', 'Custom::Type2']].each_with_index do |testtypes, i| # rubocop:disable Performance/CollectionLiteralInLoop
+      context "#{type} parameters of custom type - no values - #{i}" do
+        let(:code) do
+          <<-END
+            #{type} test (
+              #{testtypes[0]} $param1,
+              #{testtypes[0]} $param2,
+            ) { }
+          END
+        end
+
+        it { expect(problems).to have(0).problems }
+      end
+
+      context "#{type} parameters of custom type - two values - #{i}" do
+        let(:code) do
+          <<-END
+            #{type} test (
+              #{testtypes[0]} $param1 = 'foo',
+              #{testtypes[1]} $param2 = 'bar',
+            ) { }
+          END
+        end
+
+        it { expect(problems).to have(0).problems }
+      end
+
+      context "#{type} parameters of custom type - one value, wrong order - #{i}" do
+        let(:code) do
+          <<-END
+            #{type} test (
+              #{testtypes[0]} $param1 = 'foo',
+              #{testtypes[1]} $param2,
+            ) { }
+          END
+        end
+
+        it { expect(problems).to have(1).problems }
+      end
+
+      context "#{type} parameters of custom type - one value, right order - #{i}" do
+        let(:code) do
+          <<-END
+            #{type} test (
+              #{testtypes[0]} $param1,
+              #{testtypes[1]} $param2 = 'bar',
+            ) { }
+          END
+        end
+
+        it { expect(problems).to have(0).problems }
+      end
+    end
   end
 end

data/spec/unit/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations_spec.rb

@@ -0,0 +1,186 @@
+require 'spec_helper'
+
+describe 'check_unsafe_interpolations' do
+  let(:msg) { "unsafe interpolation of variable 'foo' in exec command" }
+
+  context 'with fix disabled' do
+    context 'exec with unsafe interpolation in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo ${foo}",
+          }
+
+        }
+        PUPPET
+      end
+
+      it 'detects an unsafe exec command argument' do
+        expect(problems).to have(1).problems
+      end
+
+      it 'creates one warning' do
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'exec with multiple unsafe interpolations in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo ${foo} ${bar}",
+          }
+
+        }
+        PUPPET
+      end
+
+      it 'detects multiple unsafe exec command arguments' do
+        expect(problems).to have(2).problems
+      end
+
+      it 'creates two warnings' do
+        expect(problems).to contain_warning(msg)
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'code that uses title with unsafe string as command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { "echo ${foo}": }
+
+        }
+        PUPPET
+      end
+
+      it 'detects one problem' do
+        expect(problems).to have(1).problems
+      end
+
+      it 'creates one warning' do
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'exec with a safe string in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo foo",
+          }
+
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'exec that has an array of args in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => ['echo', $foo],
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'exec that has an array of args in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { ["foo", "bar", "baz"]:
+            command => echo qux,
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'file resource' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+          file { '/etc/bar':
+            ensure  => file,
+            backup  => false,
+            content => $baz,
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'file resource and an exec with unsafe interpolation in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+          file { '/etc/bar':
+            ensure  => file,
+            backup  => false,
+            content => $baz,
+          }
+
+          exec { 'qux':
+            command => "echo ${foo}",
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects one problem' do
+        expect(problems).to have(1).problems
+      end
+    end
+
+    context 'case statement and an exec' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+          case bar {
+            baz : {
+              echo qux
+            }
+          }
+
+          exec { 'foo':
+            command => "echo bar",
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/unit/puppet-lint/plugins/legacy_facts/legacy_facts_spec.rb

@@ -121,6 +121,14 @@ describe 'legacy_facts' do
         expect(problems).to have(1).problem
       end
     end
+
+    context 'top scoped fact variable using unquoted legacy facts hash variable in interpolation' do
+      let(:code) { '$::facts[osfamily]' }
+
+      it 'detects a single problem' do
+        expect(problems).to have(1).problem
+      end
+    end
   end
 
   context 'with fix enabled' do

data/spec/unit/puppet-lint/plugins/top_scope_facts/top_scope_facts_spec.rb

@@ -37,26 +37,10 @@ describe 'top_scope_facts' do
     end
 
     context 'fact variable using top scope' do
-      let(:code) { '$::operatingsystem' }
+      let(:code) { '$::fqdn' }
 
-      it 'onlies detect a single problem' do
-        expect(problems).to have(1).problem
-      end
-
-      it 'creates a warning' do
-        expect(problems).to contain_warning(msg).on_line(1).in_column(1)
-      end
-    end
-
-    context 'fact variable using top scope with curly braces in double quote' do
-      let(:code) { '"${::operatingsystem}"' }
-
-      it 'onlies detect a single problem' do
-        expect(problems).to have(1).problem
-      end
-
-      it 'creates a warning' do
-        expect(problems).to contain_warning(msg).on_line(1).in_column(4)
+      it 'does not detect a single problem' do
+        expect(problems).to have(0).problem
       end
     end
 
@@ -126,34 +110,6 @@ describe 'top_scope_facts' do
       end
     end
 
-    context 'fact variable using top scope' do
-      let(:code) { '$::operatingsystem' }
-
-      it 'onlies detect a single problem' do
-        expect(problems).to have(1).problem
-      end
-
-      it 'fixes the problem' do
-        expect(problems).to contain_fixed(msg).on_line(1).in_column(1)
-      end
-
-      it 'shoulds use the facts hash' do
-        expect(manifest).to eq("$facts['operatingsystem']")
-      end
-    end
-
-    context 'fact variable using top scope with curly braces in double quote' do
-      let(:code) { '"${::operatingsystem}"' }
-
-      it 'fixes the problem' do
-        expect(problems).to contain_fixed(msg).on_line(1).in_column(4)
-      end
-
-      it 'shoulds use the facts hash' do
-        expect(manifest).to eq('"${facts[\'operatingsystem\']}"')
-      end
-    end
-
     context 'with custom top scope fact variables' do
       before(:each) do
         PuppetLint.configuration.top_scope_variables = ['location', 'role']

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puppet-lint
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.1.0
 platform: ruby
 authors:
 - Tim Sharpe
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-21 00:00:00.000000000 Z
+date: 2023-08-25 00:00:00.000000000 Z
 dependencies: []
 description: "    Checks your Puppet manifests against the Puppetlabs style guide
   and alerts you to any discrepancies.\n"
@@ -66,6 +66,7 @@ files:
 - lib/puppet-lint/plugins/check_strings/quoted_booleans.rb
 - lib/puppet-lint/plugins/check_strings/single_quote_string_with_variables.rb
 - lib/puppet-lint/plugins/check_strings/variables_not_enclosed.rb
+- lib/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations.rb
 - lib/puppet-lint/plugins/check_variables/variable_contains_dash.rb
 - lib/puppet-lint/plugins/check_variables/variable_is_lowercase.rb
 - lib/puppet-lint/plugins/check_whitespace/140chars.rb
@@ -139,6 +140,7 @@ files:
 - spec/unit/puppet-lint/plugins/check_strings/quoted_booleans_spec.rb
 - spec/unit/puppet-lint/plugins/check_strings/single_quote_string_with_variables_spec.rb
 - spec/unit/puppet-lint/plugins/check_strings/variables_not_enclosed_spec.rb
+- spec/unit/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations_spec.rb
 - spec/unit/puppet-lint/plugins/check_variables/variable_contains_dash_spec.rb
 - spec/unit/puppet-lint/plugins/check_variables/variable_is_lowercase_spec.rb
 - spec/unit/puppet-lint/plugins/check_whitespace/140chars_spec.rb