On 8 June 2017 at 11:49, John D. Ament <[email protected]> wrote: > The whole path seems a bit weird to me. I'm not 100% sure why it even > detects it as a possibly tainted value since the podling's information > should have been read externally rather than from the request.
If it cannot be insecure, then just unconditionally taint. For example, __FILE__ should be safe to untaint without needing to check. However if there is a possibility that the value is unsecure, only untaint if it is OK, and stop processing otherwise. If you don't expect the value to be insecure, but are not sure, just throw an exception with the details: raise ArgumentError, 'unexpected value ...' Or return some kind of error message as the yaml so the PPMC can fix the issue. > On Thu, Jun 8, 2017 at 6:38 AM sebb <[email protected]> wrote: > >> On 8 June 2017 at 11:28, <[email protected]> wrote: >> > This is an automated email from the ASF dual-hosted git repository. >> > >> > johndament pushed a commit to branch master >> > in repository https://gitbox.apache.org/repos/asf/whimsy.git >> > >> > >> > The following commit(s) were added to refs/heads/master by this push: >> > new 61bf3db Check for clean resources. >> > 61bf3db is described below >> > >> > commit 61bf3db86b73122d9e014e98f9624db05104b925 >> > Author: John D. Ament <[email protected]> >> > AuthorDate: Thu Jun 8 06:28:49 2017 -0400 >> > >> > Check for clean resources. >> > --- >> > lib/whimsy/asf/podlings.rb | 1 + >> > 1 file changed, 1 insertion(+) >> > >> > diff --git a/lib/whimsy/asf/podlings.rb b/lib/whimsy/asf/podlings.rb >> > index 408d3e2..1a3aae2 100644 >> > --- a/lib/whimsy/asf/podlings.rb >> > +++ b/lib/whimsy/asf/podlings.rb >> > @@ -209,6 +209,7 @@ module ASF >> > end >> > >> > def podlingStatus >> > + @resource.untaint if @resource =~ /\A\w+\Z/ >> > incubator_content = ASF::SVN['asf/incubator/public/trunk/content'] >> > resource_yml = "#{incubator_content}/podlings/#{@resource}.yml" >> >> Don't you need to handle the case where the resource cannot be untainted? >> >> > if File.exist?(resource_yml) >> > >> > -- >> > To stop receiving notification emails like this one, please contact >> > ['"[email protected]" <[email protected]>']. >>
