-
Notifications
You must be signed in to change notification settings - Fork 642
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
E208: Added MissingFilePermissionsRule #943
Conversation
25b987d
to
cb3a07d
Compare
cb3a07d
to
2d51ec6
Compare
recheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New tests mustn't use unittest.
40c8da8
to
4e3552e
Compare
4e3552e
to
941ac95
Compare
test/conftest.py
Outdated
def rule_runner(request): | ||
"""Return runner for a specific rule class.""" | ||
rule_name = request.param | ||
module = import_module(f"ansiblelint.rules.{rule_name}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that imports should be delegated to the fixture.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is only for internal use and not doing that would make its use much more complex, especially if we start to migrate tests to reuse the runner. The hole point of this fixture was to avoid the old repeating setUp code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Import errors should be happening in the test modules, not in the middle of the machinery.
Makes missing file permissions a linting error in order to proactively detect security issues that were fixed via ansible/ansible#67794 at the expense of breaking usage that relied on default settings.
941ac95
to
8a580e1
Compare
… by ansible Unfortunatelly, catastrophic and (IMHO) completely wrong changes which normal users don't expect, without enough discussions and notice to users using security as an excuse, looks merged into ansible upstream. To avoid accidents, we need to instruct ansible not change the file permission mode *explicitly* as of now. See also the followings: - ansible/ansible#71200 - ansible/ansible-lint#943
Makes missing file permissions a linting error in order to proactively detect security issues that were fixed via ansible/ansible#67794
While that was fixed in last Ansible hotfix, it changed default value and thus it has a high risk
of breaking any usage without
mode
.Related: ansible/ansible#71200