New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
repoquery: Properly sanitize queryformat strings #1861
Conversation
'buildtime', 'size', 'downloadsize', 'installsize', | ||
'provides', 'requires', 'obsoletes', 'conflicts', | ||
'sourcerpm', 'description', 'summary', 'license', 'url', | ||
'reason') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now the list is in two places - ALLOWED_QUERY_TAGS
and QUERY_TAGS
. Could one of them be somehow generated from the other?
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely. Something like (
diff --git a/dnf/cli/commands/repoquery.py b/dnf/cli/commands/repoquery.py
index 098ee836..83023aca 100644
--- a/dnf/cli/commands/repoquery.py
+++ b/dnf/cli/commands/repoquery.py
@@ -443,7 +443,7 @@ class RepoQueryCommand(commands.Command):
def run(self):
if self.opts.querytags:
- print(QUERY_TAGS)
+ print("\n".join(ALLOWED_QUERY_TAGS))
return
self.cli._populate_update_security_filter(self.opts)
) would work. I just noticed that QUERY_TAGS
was formatted in a rather specific way and thought it might better to keep it that way. Are you okay with the above solution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It prints almost 30 lines of output which seems too much to me. Maybe wrapping it using textwrap module? It creates almost identical output like original code:
print('\n'.join(textwrap.wrap(', '.join(ALLOWED_QUERY_TAGS))))
Or generate it the other way round? ALLOWED_QUERY_TAGS = QUERY_TAGS.replace('\n', ' ').split(', ')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think printing each on its own line is nice. It mirrors that behavior of rpm --querytags
and makes it easy to grep
for a field name. Otherwise, I think your first solution is better than generating it the other way around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK then, let's go with "rpm compatible" solution then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See bb69114
EDIT: I force pushed to fix a commit message typo and thus there's a new commit hash
Also the failing unit test Lines 130 to 137 in 45a06f9
AttributeError exception any more.
|
I've improved the unit tests in d2e3593 |
Previously, dnf repoquery --qf allowed looking up arbitrary attributes of the dnf.package.Package objects in the query and e.g. the current Base via the .base attribute. This checks that %{FOO} is a valid query string as per `dnf repoquery --querytags`. If it isn't, rpm2py_format will leave a literal "%{FOO}". Before: ``` console $ dnf repoquery dnf --qf='%{base}' --latest=1 --arch=noarch -q <dnf.cli.cli.BaseCli object at ...> ``` After: ``` console $ dnf repoquery dnf --qf='%{base}' --latest=1 --arch=noarch -q %{base} ``` = changelog = msg: repoquery: Properly sanitize queryformat strings type: bugfix resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2140884
- Use PackageWrapper() with rpm2py_format like the actual code does - Add better testing for illegal/nonexistent attributes.
See rpm-software-management/dnf#1861 for details about the output change.
Thank you for the patch. The test of |
See rpm-software-management/dnf#1861 for details about the output change.
Follow-up to this in #1922. |
Previously, dnf repoquery --qf allowed looking up arbitrary attributes of the dnf.package.Package objects in the query and e.g. the current Base via the .base attribute. This checks that %{FOO} is a valid query string as per
dnf repoquery --querytags
. If it isn't, rpm2py_format will leave a literal "%{FOO}".Before:
After:
= changelog =
msg: repoqury: Properly sanitize queryformat strings
type: bugfix
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2140884