From 0e5798a9c147357cec65a083128c905f3b89a94a Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 24 Sep 2024 15:59:12 +0530 Subject: [PATCH 1/3] fixing the warning message for sensitive info in json like password Signed-off-by: nikhil2611 --- .expeditor/verify.pipeline.yml | 29 ----------------------------- .github/workflows/unit.yml | 7 +++---- Gemfile | 6 +++--- Rakefile | 2 +- chef-vault.gemspec | 2 +- lib/chef/knife/mixin/helper.rb | 23 ++++++++++++++++------- 6 files changed, 24 insertions(+), 45 deletions(-) diff --git a/.expeditor/verify.pipeline.yml b/.expeditor/verify.pipeline.yml index 4155273..53fa4a1 100644 --- a/.expeditor/verify.pipeline.yml +++ b/.expeditor/verify.pipeline.yml @@ -11,20 +11,6 @@ expeditor: steps: -- label: run-specs-ruby-2.7 - command: - - .expeditor/run_linux_tests.sh rake - expeditor: - executor: - docker: - image: ruby:2.7 -- label: run-specs-ruby-3.0 - command: - - .expeditor/run_linux_tests.sh rake - expeditor: - executor: - docker: - image: ruby:3.0 - label: run-specs-ruby-3.1 command: - .expeditor/run_linux_tests.sh rake @@ -33,21 +19,6 @@ steps: docker: image: ruby:3.1 -- label: run-specs-ruby-3.0-windows - command: - - .expeditor/run_windows_tests.ps1 - expeditor: - executor: - docker: - host_os: windows - shell: ["powershell", "-Command"] - image: rubydistros/windows-2019:3.0 - user: 'NT AUTHORITY\SYSTEM' - environment: - - FORCE_FFI_YAJL=ext - - EXPIRE_CACHE=true - - CHEF_LICENSE=accept-no-persist - - label: run-specs-ruby-3.1-windows command: - .expeditor/run_windows_tests.ps1 diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 90c43a6..60583e9 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-18.04 steps: - uses: actions/checkout@v2 - - name: Set up ruby 2.7 + - name: Set up ruby 3.1 uses: ruby/setup-ruby@v1 with: - ruby-version: 2.7 + ruby-version: 3.1 bundler-cache: true - name: run specs run: bundle exec rake spec --trace @@ -27,5 +27,4 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} failedThreshold: 90 - resultPath: coverage/.last_run.json - + resultPath: coverage/.last_run.json diff --git a/Gemfile b/Gemfile index 089115f..c8defbb 100644 --- a/Gemfile +++ b/Gemfile @@ -15,11 +15,11 @@ group :development do else gem "contracts", "~> 0.17" gem "chef-zero", ">= 15.0.4" - gem "chef", "~> 17.0" + gem "chef", ">= 18.5.0" gem "rspec", "~> 3.0" gem "aruba", "~> 2.2" - gem "knife", "~> 17.0" - gem "chef-utils", "17.10.68" # pin until we drop ruby >=3 + gem "knife", "~> 18.0" + gem "chef-utils", ">= 18.5.0" # pin until we drop ruby >=3 end end diff --git a/Rakefile b/Rakefile index d234851..2a6a2f6 100644 --- a/Rakefile +++ b/Rakefile @@ -1,6 +1,6 @@ require "bundler/gem_tasks" -WINDOWS_PLATFORM = %w{ x64-mingw32 x64-mingw-ucrt ruby }.freeze +WINDOWS_PLATFORM = /mswin|win32|mingw/.freeze unless defined? WINDOWS_PLATFORM # Style Tests begin diff --git a/chef-vault.gemspec b/chef-vault.gemspec index 6bfeae6..4576e5a 100644 --- a/chef-vault.gemspec +++ b/chef-vault.gemspec @@ -31,5 +31,5 @@ Gem::Specification.new do |s| s.bindir = "bin" s.executables = %w{ chef-vault } - s.required_ruby_version = ">= 2.7" + s.required_ruby_version = ">= 3.1" end diff --git a/lib/chef/knife/mixin/helper.rb b/lib/chef/knife/mixin/helper.rb index 2654d32..dbde8e7 100644 --- a/lib/chef/knife/mixin/helper.rb +++ b/lib/chef/knife/mixin/helper.rb @@ -49,16 +49,25 @@ def values_from_json(json) # Raises `InvalidValue` if any of the json's values contain non-printable characters. def validate_json(json) begin - evaled_json = eval(json) # rubocop: disable Security/Eval - rescue SyntaxError + parsed_json = JSON.parse(json) + rescue JSON::ParserError raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!" end - if evaled_json.is_a?(Hash) - evaled_json.each do |key, value| - next unless printable?(value.to_s) + check_value(parsed_json) # Start checking from the root of the parsed JSON + end - msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings." + def check_value(value, parent_key = nil) + if value.is_a?(Array) + value.each { |item| check_value(item, parent_key) } + elsif value.is_a?(Hash) + value.each do |key, nested_value| + next if key == 'password' # Skip the password key + check_value(nested_value, key) + end + else + unless printable?(value.to_s) + msg = "Value '#{value}' of key '#{parent_key}' contains non-printable characters." ChefVault::Log.warn(msg) end end @@ -69,7 +78,7 @@ def validate_json(json) # returns true if string is free of non-printable characters (escape sequences) # this returns false for whitespace escape sequences as well, e.g. \n\t def printable?(string) - /[^[:print:]]|[[:space:]]/.match(string) + !/[[:^print:]]/.match?(string) # Returns true if the string is printable end end end From aac4bd27807aa351a40478c152163101cce46bec Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 24 Sep 2024 16:27:47 +0530 Subject: [PATCH 2/3] fixing the test cases Signed-off-by: nikhil2611 --- spec/chef/helper_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/chef/helper_spec.rb b/spec/chef/helper_spec.rb index d1f4eb7..f1b7bc1 100644 --- a/spec/chef/helper_spec.rb +++ b/spec/chef/helper_spec.rb @@ -20,7 +20,7 @@ it "not to raise error if data consist of tab/new line OR space" do %w{abc\tabc abc\nabc}.each do |pass| json_data_with_slash = json.merge("password": pass) - expect { validate_json(json_data_with_slash.to_s) }.to_not raise_error + expect { validate_json(json_data_with_slash.to_json) }.to_not raise_error end end end From e373856d92f02df17ac4952f409ce992769e1a8b Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 24 Sep 2024 16:47:22 +0530 Subject: [PATCH 3/3] cookstyle fixes Signed-off-by: nikhil2611 --- lib/chef/knife/mixin/helper.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/chef/knife/mixin/helper.rb b/lib/chef/knife/mixin/helper.rb index dbde8e7..daec93c 100644 --- a/lib/chef/knife/mixin/helper.rb +++ b/lib/chef/knife/mixin/helper.rb @@ -62,7 +62,8 @@ def check_value(value, parent_key = nil) value.each { |item| check_value(item, parent_key) } elsif value.is_a?(Hash) value.each do |key, nested_value| - next if key == 'password' # Skip the password key + next if key == "password" # Skip the password key + check_value(nested_value, key) end else