Merge pull request #414 from chef/nikhil/CHEF-3710-chef-vault-warning…

…-issue CHEF-3710-chef-vault warning message includes sensitive info
chef · Sep 25, 2024 · 8c1a478 · 8c1a478
2 parents 20e1e36 + e373856
commit 8c1a478
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 46 deletions.
diff --git a/.expeditor/verify.pipeline.yml b/.expeditor/verify.pipeline.yml
@@ -11,20 +11,6 @@ expeditor:
 
 steps:
 
-- label: run-specs-ruby-2.7
-  command:
-    - .expeditor/run_linux_tests.sh rake
-  expeditor:
-    executor:
-      docker:
-        image: ruby:2.7
-- label: run-specs-ruby-3.0
-  command:
-    - .expeditor/run_linux_tests.sh rake
-  expeditor:
-    executor:
-      docker:
-        image: ruby:3.0
 - label: run-specs-ruby-3.1
   command:
     - .expeditor/run_linux_tests.sh rake
@@ -33,21 +19,6 @@ steps:
       docker:
         image: ruby:3.1
 
-- label: run-specs-ruby-3.0-windows
-  command:
-    - .expeditor/run_windows_tests.ps1
-  expeditor:
-    executor:
-      docker:
-        host_os: windows
-        shell: ["powershell", "-Command"]
-        image: rubydistros/windows-2019:3.0
-        user: 'NT AUTHORITY\SYSTEM'
-        environment:
-          - FORCE_FFI_YAJL=ext
-          - EXPIRE_CACHE=true
-          - CHEF_LICENSE=accept-no-persist
-
 - label: run-specs-ruby-3.1-windows
   command:
     - .expeditor/run_windows_tests.ps1

diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
-      - name: Set up ruby 2.7
+      - name: Set up ruby 3.1
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 2.7
+          ruby-version: 3.1
           bundler-cache: true
       - name: run specs
         run: bundle exec rake spec --trace
@@ -27,5 +27,4 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           failedThreshold: 90
-          resultPath: coverage/.last_run.json 
-
+          resultPath: coverage/.last_run.json
diff --git a/Gemfile b/Gemfile
@@ -15,11 +15,11 @@ group :development do
   else
     gem "contracts", "~> 0.17"
     gem "chef-zero", ">= 15.0.4"
-    gem "chef", "~> 17.0"
+    gem "chef", ">= 18.5.0"
     gem "rspec", "~> 3.0"
     gem "aruba", "~> 2.2"
-    gem "knife", "~> 17.0"
-    gem "chef-utils", "17.10.68" # pin until we drop ruby >=3
+    gem "knife", "~> 18.0"
+    gem "chef-utils", ">= 18.5.0" # pin until we drop ruby >=3
   end
 end
 

diff --git a/Rakefile b/Rakefile
@@ -1,6 +1,6 @@
 require "bundler/gem_tasks"
 
-WINDOWS_PLATFORM = %w{ x64-mingw32 x64-mingw-ucrt ruby }.freeze
+WINDOWS_PLATFORM = /mswin|win32|mingw/.freeze unless defined? WINDOWS_PLATFORM
 
 # Style Tests
 begin

diff --git a/chef-vault.gemspec b/chef-vault.gemspec
@@ -31,5 +31,5 @@ Gem::Specification.new do |s|
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }
 
-  s.required_ruby_version = ">= 2.7"
+  s.required_ruby_version = ">= 3.1"
 end
diff --git a/lib/chef/knife/mixin/helper.rb b/lib/chef/knife/mixin/helper.rb
@@ -49,16 +49,26 @@ def values_from_json(json)
       # Raises `InvalidValue` if any of the json's values contain non-printable characters.
       def validate_json(json)
         begin
-          evaled_json = eval(json) # rubocop: disable Security/Eval
-        rescue SyntaxError
+          parsed_json = JSON.parse(json)
+        rescue JSON::ParserError
           raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!"
         end
 
-        if evaled_json.is_a?(Hash)
-          evaled_json.each do |key, value|
-            next unless printable?(value.to_s)
+        check_value(parsed_json) # Start checking from the root of the parsed JSON
+      end
+
+      def check_value(value, parent_key = nil)
+        if value.is_a?(Array)
+          value.each { |item| check_value(item, parent_key) }
+        elsif value.is_a?(Hash)
+          value.each do |key, nested_value|
+            next if key == "password" # Skip the password key
 
-            msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings."
+            check_value(nested_value, key)
+          end
+        else
+          unless printable?(value.to_s)
+            msg = "Value '#{value}' of key '#{parent_key}' contains non-printable characters."
             ChefVault::Log.warn(msg)
           end
         end
@@ -69,7 +79,7 @@ def validate_json(json)
       # returns true if string is free of non-printable characters (escape sequences)
       # this returns false for whitespace escape sequences as well, e.g. \n\t
       def printable?(string)
-        /[^[:print:]]|[[:space:]]/.match(string)
+        !/[[:^print:]]/.match?(string) # Returns true if the string is printable
       end
     end
   end

diff --git a/spec/chef/helper_spec.rb b/spec/chef/helper_spec.rb
@@ -20,7 +20,7 @@
     it "not to raise error if data consist of tab/new line OR space" do
       %w{abc\tabc abc\nabc}.each do |pass|
         json_data_with_slash = json.merge("password": pass)
-        expect { validate_json(json_data_with_slash.to_s) }.to_not raise_error
+        expect { validate_json(json_data_with_slash.to_json) }.to_not raise_error
       end
     end
   end