-
-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
do not allow EnvironmentVariableAccess in initializers #1229
Conversation
|
Hmmm... Guess I was a bit too quick. How about we limit the include to
Would that be an option? |
I have left two comments. Can you update these and squash the commits? |
Updated, squashed, and added specs for the new cases 👍 |
Thanks! |
I'm confused: With this rule enabled, how can a Rails app read env vars at all? E.g., in my initializers, I A couple people (or maybe just one person?) has said that the Rails configuration lib can read env vars and check them at boot time. But no one has provided code showing this, so the rule was set disabled by default. I'm skeptical the lib does this: I couldn't find mention of this check-env-var-at-boot feature in the Guide. In a nutshell, this rule seemed to be on shaky ground before this change. And now that all initializers are off-limits to |
From the PR description:
So what you can do is # In config/slack.yml
default: &default
client_id: <%= ENV["SLACK_CLIENT_ID"] %>
client_secret: <%= ENV["SLACK_CLIENT_SECRET"] %> # In application.rb
module MyApp
class Application
config.slack = config_for(:slack)
end
end
# In rest of the app
Rails.application.config.slack.client_id Similarly, secrets should be in # In config/credentials.yml.enc
secret_key_base: 3b7cd72...
some_api_key: SOMEKEY
system:
access_key_id: 1234AB You can do # In rest of the app
Rails.application.secrets.some_api_key
Rails.application.secrets.system.access_key_id That way
If you cannot or don't want to use the Rails secrets/credential mechanisms for whatever reason (we don't), you can put everything in Hope that helps! |
Thanks @markokajzer. So if I understand it correctly, under this rule, |
The description of the cop states
Do not access ENV directly after initialization.
. However in some ways, the application is already initialized when we get toconfig/**/*.rb
:config_for(:service)
is already available to read config fromservice.yml
Rails.application.credentials
is already available to read application credentials / secretsI think it could make sense to push people to move their config in either of these two places. If they want to access their config / secrets in a Ruby file, let's say,
config/initializers/service.rb
they can usecredentials
orconfig_for
, no need to accessENV
directly again.Also see https://guides.rubyonrails.org/initialization.html.
I understand this is a bit nuanced, so if this is not desired, that's completely fine ✌️
Before submitting the PR make sure the following are checked:
Commit message starts with[Fix #issue-number]
(if the related issue exists).master
(if not - rebase it).bundle exec rake default
. It executes all tests and runs RuboCop on its own code.{change_type}_{change_description}.md
if the new code introduces user-observable changes. See changelog entry format for details.If this is a new cop, consider making a corresponding update to the Rails Style Guide.