-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix config.read_encrypted_secrets
deprecation warning quoting
#51739
Fix config.read_encrypted_secrets
deprecation warning quoting
#51739
Conversation
@@ -350,14 +350,13 @@ def enable_reloading=(value) | |||
end | |||
|
|||
def read_encrypted_secrets | |||
Rails.deprecator.warn(`config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.`) | |||
Rails.deprecator.warn("config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rails.deprecator.warn("config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.") | |
Rails.deprecator.warn("`config.read_encrypted_secrets` is deprecated and will be removed in Rails 7.3.") |
We can highlight config.read_encrypted_secrets
as a code snippet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my review comment, I think the community consensus is against backquotes in error/warning messages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replaced backquotes with single quotes
end | ||
|
||
def read_encrypted_secrets=(value) | ||
Rails.deprecator.warn(`config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.`) | ||
Rails.deprecator.warn("config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rails.deprecator.warn("config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.") | |
Rails.deprecator.warn("`config.read_encrypted_secrets` is deprecated and will be removed in Rails 7.3.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Applied separately to keep it a single-commit PR
9ee9a04
to
fbd4955
Compare
end | ||
|
||
def read_encrypted_secrets=(value) | ||
Rails.deprecator.warn(`config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.`) | ||
Rails.deprecator.warn("`config.read_encrypted_secrets=` is deprecated and will be removed in Rails 7.3.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rails.deprecator.warn("`config.read_encrypted_secrets=` is deprecated and will be removed in Rails 7.3.") | |
Rails.deprecator.warn("`config.read_encrypted_secrets` is deprecated and will be removed in Rails 7.3.") |
typo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not sure if config.read_encrypted_secrets
(without =
) was intentional is this case, since actually config.read_encrypted_secrets=
is called. Do you think warning with config.read_encrypted_secrets
in both cases is more appropriate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think keeping the =
in this case is reasonable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the backquotes should be removed entirely or replaced with single-quotes.
There was a recent ruby-core discussion about error messages and the consensus was that backticks in messages often confuse parsers (e.g., markdown) when pasted into forums and other sites: https://bugs.ruby-lang.org/issues/16495#note-32
Commit 0c76f17 deprecated `Rails::Application::Configuration#read_encrypted_secrets` but, suprisingly, deprecation used backticks instead of normal quoting.
fbd4955
to
f36ad6a
Compare
Note that I've opened a PR with a related rubocop style cop enabled: #51741 |
Thanks @flavorjones for sharing this |
PR rails#49624 contained commit 0c76f17 which mistakenly used backticks instead of normal string quotes. This is easy to miss, but risks introducing a security vulnerability into the codebase. Forcing the use of `%x()` should make it more obvious visually where the command literals are. See related rails#51739
This commit deprecated
config.read_encrypted_secrets
but, surprisingly, deprecation used back-ticks instead of normal quoting (which leads to excuting string payload via shell).Motivation / Background
Detail
If I'm not missing anything, normal quotes should be used.
Additional information
After fix it works as expected:
Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]