puppet-lint 4.0.1 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c29efe87a1b5506f4849bf91bb2ebdd9aa76985bbfe0cb9206de80d309a5611
-  data.tar.gz: f17c4c2195f16b27e5595c9e1546ae53ad255913f2ea42203a9eee221e11d809
+  metadata.gz: 3953f32f31f48881c186abdd6a5ce57c2debaf28d24afc4b207a2a84a2065ccf
+  data.tar.gz: 60730e1ecb6cbf54f72f23bbb96769d181b9132a2fb756bdc858949e953d3467
 SHA512:
-  metadata.gz: '048132fc797b8f1ac6b31a310db4b4f654f71930847b6839783107381d7d46893d672ad3c879e6792f8f2c5367aa733addb855cd820c2578da63b4222853e13f'
-  data.tar.gz: b9d4f0a474c89731757c336811e910885ce87bd4dca6c4041355f2646e51ad87c38eeaa66ced098aca4146d4c33b03c2bffeb970bd0c91c00d111984cd493718
+  metadata.gz: 2421fd601c8e371f8bcfa8ffff3f5f9674fa1334d7ced66e1c0bd4a376c8365822f57b11a6d3ad80e134ea2b6faf6c20281e3497715b34c3c22db163e424cb2e
+  data.tar.gz: 5ab8e9650e45521eb84ea8c8f89d0970c90f919bd51e82dc6be73fc5a2b0944875673a16058ad0894288730358772ef82f07540a8ac0230bdb32aa5727abab46

data/lib/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations.rb

@@ -0,0 +1,130 @@
+COMMANDS = Array['command', 'onlyif', 'unless']
+INTERPOLATED_STRINGS = Array[:DQPRE, :DQMID]
+USELESS_CHARS = Array[:WHITESPACE, :COMMA]
+
+PuppetLint.new_check(:check_unsafe_interpolations) do
+  def check
+    # Gather any exec commands' resources into an array
+    exec_resources = resource_indexes.filter_map do |resource|
+      resource_parameters = resource[:param_tokens].map(&:value)
+      resource if resource[:type].value == 'exec' && !(COMMANDS & resource_parameters).empty?
+    end
+
+    # Iterate over title tokens and raise a warning if any are variables
+    unless get_exec_titles.empty?
+      get_exec_titles.each do |title|
+        check_unsafe_title(title)
+      end
+    end
+
+    # Iterate over each command found in any exec
+    exec_resources.each do |command_resources|
+      check_unsafe_interpolations(command_resources)
+    end
+  end
+
+  # Iterate over the tokens in a title and raise a warning if an interpolated variable is found
+  def check_unsafe_title(title)
+    title.each do |token|
+      notify_warning(token.next_code_token) if interpolated?(token)
+    end
+  end
+
+  # Iterates over an exec resource and if a command, onlyif or unless paramter is found, it is checked for unsafe interpolations
+  def check_unsafe_interpolations(command_resources)
+    command_resources[:tokens].each do |token|
+      # Skip iteration if token isn't a command of type :NAME
+      next unless COMMANDS.include?(token.value) && token.type == :NAME
+      # Don't check the command if it is parameterised
+      next if parameterised?(token)
+
+      check_command(token).each do |t|
+        notify_warning(t)
+      end
+    end
+  end
+
+  # Raises a warning given a token and message
+  def notify_warning(token)
+    notify :warning,
+           message: "unsafe interpolation of variable '#{token.value}' in exec command",
+           line: token.line,
+           column: token.column
+  end
+
+  # Iterates over the tokens in a command and adds it to an array of violations if it is an input variable
+  def check_command(token)
+    # Initialise variables needed in while loop
+    rule_violations = []
+    current_token = token
+
+    # Iterate through tokens in command
+    while current_token.type != :NEWLINE
+      # Check if token is a varibale and if it is parameterised
+      rule_violations.append(current_token.next_code_token) if interpolated?(current_token)
+      current_token = current_token.next_token
+    end
+
+    rule_violations
+  end
+
+  # A command is parameterised if its args are placed in an array
+  # This function checks if the current token is a :FARROW and if so, if it is followed by an LBRACK
+  def parameterised?(token)
+    current_token = token
+    while current_token.type != :NEWLINE
+      return true if current_token.type == :FARROW && current_token.next_token.next_token.type == :LBRACK
+
+      current_token = current_token.next_token
+    end
+  end
+
+  # This function is a replacement for puppet_lint's title_tokens function which assumes titles have single quotes
+  # This function adds a check for titles in double quotes where there could be interpolated variables
+  def get_exec_titles
+    result = []
+    tokens.each_with_index do |_token, token_idx|
+      next if tokens[token_idx].value != 'exec'
+
+      # We have a resource declaration. Now find the title
+      tokens_array = []
+      # Check if title is an array
+      if tokens[token_idx]&.next_code_token&.next_code_token&.type == :LBRACK
+        # Get the start and end indices of the array of titles
+        array_start_idx = tokens.rindex { |r| r.type == :LBRACK }
+        array_end_idx = tokens.rindex { |r| r.type == :RBRACK }
+
+        # Grab everything within the array
+        title_array_tokens = tokens[(array_start_idx + 1)..(array_end_idx - 1)]
+        tokens_array.concat(title_array_tokens.reject do |token|
+          USELESS_CHARS.include?(token.type)
+        end)
+        result << tokens_array
+      # Check if title is double quotes string
+      elsif tokens[token_idx].next_code_token.next_code_token.type == :DQPRE
+        # Find the start and end of the title
+        title_start_idx = tokens.find_index(tokens[token_idx].next_code_token.next_code_token)
+        title_end_idx = title_start_idx + index_offset_for(':', tokens[title_start_idx..tokens.length])
+
+        result << tokens[title_start_idx..title_end_idx]
+      # Title is in single quotes
+      else
+        tokens_array.concat([tokens[token_idx].next_code_token.next_code_token])
+
+        result << tokens_array
+      end
+    end
+    result
+  end
+
+  def interpolated?(token)
+    INTERPOLATED_STRINGS.include?(token.type)
+  end
+
+  # Finds the index offset of the next instance of `value` in `tokens_slice` from the original index
+  def index_offset_for(value, tokens_slice)
+    tokens_slice.each_with_index do |token, i|
+      return i if value.include?(token.value)
+    end
+  end
+end

data/lib/puppet-lint/version.rb

@@ -1,3 +1,3 @@
 class PuppetLint
-  VERSION = '4.0.1'.freeze
+  VERSION = '4.1.0'.freeze
 end

data/spec/unit/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations_spec.rb

@@ -0,0 +1,186 @@
+require 'spec_helper'
+
+describe 'check_unsafe_interpolations' do
+  let(:msg) { "unsafe interpolation of variable 'foo' in exec command" }
+
+  context 'with fix disabled' do
+    context 'exec with unsafe interpolation in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo ${foo}",
+          }
+
+        }
+        PUPPET
+      end
+
+      it 'detects an unsafe exec command argument' do
+        expect(problems).to have(1).problems
+      end
+
+      it 'creates one warning' do
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'exec with multiple unsafe interpolations in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo ${foo} ${bar}",
+          }
+
+        }
+        PUPPET
+      end
+
+      it 'detects multiple unsafe exec command arguments' do
+        expect(problems).to have(2).problems
+      end
+
+      it 'creates two warnings' do
+        expect(problems).to contain_warning(msg)
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'code that uses title with unsafe string as command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { "echo ${foo}": }
+
+        }
+        PUPPET
+      end
+
+      it 'detects one problem' do
+        expect(problems).to have(1).problems
+      end
+
+      it 'creates one warning' do
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'exec with a safe string in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo foo",
+          }
+
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'exec that has an array of args in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => ['echo', $foo],
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'exec that has an array of args in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { ["foo", "bar", "baz"]:
+            command => echo qux,
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'file resource' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+          file { '/etc/bar':
+            ensure  => file,
+            backup  => false,
+            content => $baz,
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+    context 'file resource and an exec with unsafe interpolation in command' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+          file { '/etc/bar':
+            ensure  => file,
+            backup  => false,
+            content => $baz,
+          }
+
+          exec { 'qux':
+            command => "echo ${foo}",
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects one problem' do
+        expect(problems).to have(1).problems
+      end
+    end
+
+    context 'case statement and an exec' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+          case bar {
+            baz : {
+              echo qux
+            }
+          }
+
+          exec { 'foo':
+            command => "echo bar",
+          }
+        }
+        PUPPET
+      end
+
+      it 'detects zero problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puppet-lint
 version: !ruby/object:Gem::Version
-  version: 4.0.1
+  version: 4.1.0
 platform: ruby
 authors:
 - Tim Sharpe
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-31 00:00:00.000000000 Z
+date: 2023-08-25 00:00:00.000000000 Z
 dependencies: []
 description: "    Checks your Puppet manifests against the Puppetlabs style guide
   and alerts you to any discrepancies.\n"
@@ -66,6 +66,7 @@ files:
 - lib/puppet-lint/plugins/check_strings/quoted_booleans.rb
 - lib/puppet-lint/plugins/check_strings/single_quote_string_with_variables.rb
 - lib/puppet-lint/plugins/check_strings/variables_not_enclosed.rb
+- lib/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations.rb
 - lib/puppet-lint/plugins/check_variables/variable_contains_dash.rb
 - lib/puppet-lint/plugins/check_variables/variable_is_lowercase.rb
 - lib/puppet-lint/plugins/check_whitespace/140chars.rb
@@ -139,6 +140,7 @@ files:
 - spec/unit/puppet-lint/plugins/check_strings/quoted_booleans_spec.rb
 - spec/unit/puppet-lint/plugins/check_strings/single_quote_string_with_variables_spec.rb
 - spec/unit/puppet-lint/plugins/check_strings/variables_not_enclosed_spec.rb
+- spec/unit/puppet-lint/plugins/check_unsafe_interpolations/check_unsafe_interpolations_spec.rb
 - spec/unit/puppet-lint/plugins/check_variables/variable_contains_dash_spec.rb
 - spec/unit/puppet-lint/plugins/check_variables/variable_is_lowercase_spec.rb
 - spec/unit/puppet-lint/plugins/check_whitespace/140chars_spec.rb