Skip to content

(maint) Codebase Hardening #1366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 11, 2022
Merged

(maint) Codebase Hardening #1366

merged 1 commit into from
Oct 11, 2022

Conversation

david22swan
Copy link
Member

@david22swan david22swan commented Sep 13, 2022
edited
Loading

Changes made to ensure that no malformed commands are passed through to the system.
Certain commands were left undivided as the commands did not get correctly interpreted.

@david22swan david22swan requested a review from a team as a code owner September 13, 2022 08:28
@puppet-community-rangefinder
Copy link

postgresql::server::config is a class

that may have no external impact to Forge modules.

postgresql::server::config_entry is a type

Breaking changes to this file WILL impact these 6 modules (exact match):
Breaking changes to this file MAY impact these 1 modules (near match):

postgresql::server::passwd is a class

that may have no external impact to Forge modules.

postgresql::validate_db_connection is a type

Breaking changes to this file WILL impact these 3 modules (exact match):
Breaking changes to this file MAY impact these 2 modules (near match):

This module is declared in 70 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@david22swan david22swan force-pushed the maint/codebase_hardening branch 2 times, most recently from 645d67f to 84c3974 Compare September 13, 2022 09:05
@david22swan david22swan reopened this Sep 13, 2022
@david22swan david22swan force-pushed the maint/codebase_hardening branch from 84c3974 to 9a9dbee Compare September 13, 2022 09:15
@puppet-community-rangefinder
Copy link

postgresql::server::config is a class

that may have no external impact to Forge modules.

postgresql::server::config_entry is a type

Breaking changes to this file WILL impact these 6 modules (exact match):
Breaking changes to this file MAY impact these 1 modules (near match):

postgresql::server::passwd is a class

that may have no external impact to Forge modules.

postgresql::validate_db_connection is a type

Breaking changes to this file WILL impact these 3 modules (exact match):
Breaking changes to this file MAY impact these 2 modules (near match):

This module is declared in 70 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@david22swan david22swan force-pushed the maint/codebase_hardening branch from 9a9dbee to fbe87d1 Compare September 13, 2022 09:43
@david22swan david22swan reopened this Sep 13, 2022
@puppet-community-rangefinder
Copy link

postgresql::server::config is a class

that may have no external impact to Forge modules.

postgresql::server::config_entry is a type

Breaking changes to this file WILL impact these 6 modules (exact match):
Breaking changes to this file MAY impact these 1 modules (near match):

postgresql::server::passwd is a class

that may have no external impact to Forge modules.

postgresql::validate_db_connection is a type

Breaking changes to this file WILL impact these 3 modules (exact match):
Breaking changes to this file MAY impact these 2 modules (near match):

This module is declared in 70 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@david22swan david22swan force-pushed the maint/codebase_hardening branch 2 times, most recently from 780e311 to f2835a8 Compare September 13, 2022 10:13
ekohl
ekohl reviewed Sep 13, 2022
View reviewed changes
Copy link
Collaborator

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It surprises me that you need to escape values when passing as an array. In most programming languages the array is passed straight to the invocation, without any shell involved. Doesn't Puppet do this natively? If not, why are command arrays even implemented in the first place?

@david22swan david22swan force-pushed the maint/codebase_hardening branch 3 times, most recently from cb79720 to f2725cb Compare September 13, 2022 11:12
ekohl
ekohl reviewed Sep 13, 2022
View reviewed changes
@david22swan david22swan force-pushed the maint/codebase_hardening branch 2 times, most recently from 99fc479 to a315ede Compare September 13, 2022 13:34
ekohl
ekohl reviewed Sep 13, 2022
View reviewed changes
@david22swan david22swan force-pushed the maint/codebase_hardening branch from a315ede to 2fe8863 Compare September 13, 2022 15:26
@david22swan
Copy link
Member Author

Not sure where these 6 failures are coming from?

@david22swan david22swan force-pushed the maint/codebase_hardening branch from 2fe8863 to 922cd64 Compare September 14, 2022 08:53
ekohl
ekohl reviewed Sep 14, 2022
View reviewed changes
@david22swan david22swan force-pushed the maint/codebase_hardening branch 2 times, most recently from cf1f282 to 800c292 Compare September 14, 2022 15:03
ekohl
ekohl requested changes Sep 22, 2022
View reviewed changes
@david22swan david22swan force-pushed the maint/codebase_hardening branch from 800c292 to 7767658 Compare October 7, 2022 16:13
@david22swan
(maint) Codebase Hardening
ab7a695 
Changes made to ensure that no malformed commands are passed through to the system.
Certain commands were left undivided as the commands did not get correctly interpreted and so a shell_escape was used instead.
@david22swan david22swan force-pushed the maint/codebase_hardening branch from 7767658 to ab7a695 Compare October 7, 2022 16:28
@david22swan
Copy link
Member Author

Spec test failures replicated on main branch

LukasAud
LukasAud approved these changes Oct 11, 2022
View reviewed changes
@LukasAud LukasAud merged commit 6bad26d into puppetlabs:main Oct 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl requested changes

@LukasAud LukasAud LukasAud approved these changes

Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@david22swan @ekohl @LukasAud