You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by se...@apache.org on 2020/10/03 14:18:37 UTC
[whimsy] branch master updated: More untainting
This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new 690dea3 More untainting
690dea3 is described below
commit 690dea3866b2a37b833beb8cefdb5f3d5c96b72c
Author: Sebb <se...@apache.org>
AuthorDate: Sat Oct 3 15:18:28 2020 +0100
More untainting
---
lib/whimsy/asf/agenda/summary.rb | 2 +-
tools/mboxhdr2csv.rb | 8 ++++----
www/board/agenda/views/actions/email.json.rb | 2 +-
www/board/agenda/views/actions/feedback.json.rb | 12 ++++++------
www/board/agenda/views/actions/remind-actions.json.rb | 6 +++---
www/board/agenda/views/actions/send-reminders.json.rb | 18 +++++++++---------
www/committers/tm-report.cgi | 8 ++++----
www/officers/surveys.cgi | 7 +++----
www/roster/views/actions/appgroup.json.rb | 2 +-
www/roster/views/actions/authgroup.json.rb | 4 ++--
www/roster/views/actions/committee.json.rb | 8 ++++----
www/roster/views/actions/memstat.json.rb | 16 ++++++++--------
www/roster/views/actions/nonpmc.json.rb | 8 ++++----
www/roster/views/actions/ppmc.json.rb | 12 ++++++------
www/roster/views/actions/service.json.rb | 4 ++--
www/secretary/workbench/models/message.rb | 12 ++++++------
www/secretary/workbench/personalize.rb | 6 +++---
17 files changed, 67 insertions(+), 68 deletions(-)
diff --git a/lib/whimsy/asf/agenda/summary.rb b/lib/whimsy/asf/agenda/summary.rb
index 1502034..6411674 100644
--- a/lib/whimsy/asf/agenda/summary.rb
+++ b/lib/whimsy/asf/agenda/summary.rb
@@ -40,7 +40,7 @@ class ASF::Board::Agenda
return summary
end
begin
- agenda = ASF::Board::Agenda.parse(File.read(fname.untaint))
+ agenda = ASF::Board::Agenda.parse(File.read(fname))
rescue StandardError => e
summary[ERRORS_KEY] = "ERROR(#{meeting}) Agenda parse error: #{e.message} #{e.backtrace[0]}"
return summary
diff --git a/tools/mboxhdr2csv.rb b/tools/mboxhdr2csv.rb
index c43c4af..cd3bab5 100644
--- a/tools/mboxhdr2csv.rb
+++ b/tools/mboxhdr2csv.rb
@@ -184,7 +184,7 @@ module MailUtils
emails[TOOLS] = []
files.each do |email|
next if email.end_with? '/index'
- message = IO.read(email.untaint, mode: 'rb')
+ message = IO.read(email, mode: 'rb')
data = {}
data[DATE] = DateTime.parse(message[/^Date: (.*)/, 1]).iso8601
data[FROM] = message[/^From: (.*)/, 1]
@@ -362,8 +362,8 @@ module MboxUtils
# Side effect: writes out f.chomp(ext).json files
# @note writes string VERSION for differentiating from other *.json
def scan_dir_mbox2stats(dir, ext = MBOX_EXT)
- Dir["#{dir}/**/*#{ext}".untaint].sort.each do |f|
- mails, errs = mbox2stats(f.untaint)
+ Dir["#{dir}/**/*#{ext}"].sort.each do |f|
+ mails, errs = mbox2stats(f)
File.open("#{f.chomp(ext)}.json", "w") do |fout|
fout.puts JSON.pretty_generate(["#{VERSION}", mails, errs])
end
@@ -377,7 +377,7 @@ module MboxUtils
def scan_dir_stats2csv(dir, outname, ext = '.json')
errors = []
jzons = []
- Dir["#{dir}/**/*#{ext}".untaint].sort.each do |f|
+ Dir["#{dir}/**/*#{ext}"].sort.each do |f|
begin
tmp = JSON.parse(File.read(f))
if tmp[0].kind_of?(String) && tmp[0].start_with?(VERSION)
diff --git a/www/board/agenda/views/actions/email.json.rb b/www/board/agenda/views/actions/email.json.rb
index 5d208b5..b472c11 100644
--- a/www/board/agenda/views/actions/email.json.rb
+++ b/www/board/agenda/views/actions/email.json.rb
@@ -9,7 +9,7 @@ to, cc, subject, body = @to, @cc, @subject, @body
# construct from address
sender = ASF::Person.find(env.user)
-from = "#{sender.public_name.inspect} <#{...@apache.org>".untaint
+from = "#{sender.public_name.inspect} <#{...@apache.org>"
# construct email
mail = Mail.new do
diff --git a/www/board/agenda/views/actions/feedback.json.rb b/www/board/agenda/views/actions/feedback.json.rb
index 6432f36..dcc34ed 100644
--- a/www/board/agenda/views/actions/feedback.json.rb
+++ b/www/board/agenda/views/actions/feedback.json.rb
@@ -23,7 +23,7 @@ if @from
from = @from
else
sender = ASF::Person.find(env.user || ENV['USER'])
- from = "#{sender.public_name.inspect} <#{...@apache.org>".untaint
+ from = "#{sender.public_name.inspect} <#{...@apache.org>"
end
output = []
@@ -68,24 +68,24 @@ Agenda.parse(@agenda, :full).each do |item|
if item['mail_list']
if item[:attach] =~ /^[A-Z]+/
- cc << "private@#{item['mail_list']}.apache.org".untaint
+ cc << "private@#{item['mail_list']}.apache.org"
elsif item['mail_list'].include? '@'
- cc << item['mail_list'].untaint
+ cc << item['mail_list']
else
- cc << "#{item['mail_list']}@apache.org".untaint
+ cc << "#{item['mail_list']}@apache.org"
end
end
# construct email
mail = Mail.new do
from from
- to "#{item['owner']} <#{item['chair_email']}>".untaint
+ to "#{item['owner']} <#{item['chair_email']}>"
cc cc
bcc bcc
reply_to ['board@apache.org'] + cc
subject "Board feedback on #{date} #{item['title']} report"
- body text.strip.untaint
+ body text.strip
end
mail.deliver! unless @dryrun
diff --git a/www/board/agenda/views/actions/remind-actions.json.rb b/www/board/agenda/views/actions/remind-actions.json.rb
index 25c4089..d51f4a5 100644
--- a/www/board/agenda/views/actions/remind-actions.json.rb
+++ b/www/board/agenda/views/actions/remind-actions.json.rb
@@ -26,10 +26,10 @@ name_map.merge! people.
from = @from
unless from
sender = ASF::Person.find(env.user)
- from = "#{sender.public_name.inspect} <#{...@apache.org>".untaint
+ from = "#{sender.public_name.inspect} <#{...@apache.org>"
end
-template = File.read("#{FOUNDATION_BOARD}/templates/remind-action.erb").untaint
+template = File.read("#{FOUNDATION_BOARD}/templates/remind-action.erb")
# iterate over the action items
@actions.group_by {|action| action['owner']}.each do |owner, actions|
@@ -44,7 +44,7 @@ template = File.read("#{FOUNDATION_BOARD}/templates/remind-action.erb").untaint
# construct email
mail = Mail.new do
from from
- to "#{person.public_name} <#{...@apache.org>".untaint
+ to "#{person.public_name} <#{...@apache.org>"
bcc "board-private@apache.org"
subject 'Action Item reminder'
diff --git a/www/board/agenda/views/actions/send-reminders.json.rb b/www/board/agenda/views/actions/send-reminders.json.rb
index a738061..5610d89 100644
--- a/www/board/agenda/views/actions/send-reminders.json.rb
+++ b/www/board/agenda/views/actions/send-reminders.json.rb
@@ -11,7 +11,7 @@ unsent = []
from = @from
unless from
sender = ASF::Person.find(env.user)
- from = "#{sender.public_name.inspect} <#{...@apache.org>".untaint
+ from = "#{sender.public_name.inspect} <#{...@apache.org>"
end
# iterate over the agenda
@@ -44,29 +44,29 @@ Agenda.parse(@agenda, :full).each do |item|
}
# apply changes to both subject and the message text itself
- subject = Mustache.render(@subject.untaint, view)
- message = Mustache.render(@message.untaint, view)
+ subject = Mustache.render(@subject, view)
+ message = Mustache.render(@message, view)
# cc list
cclist = []
if item['mail_list']
if @selection == 'inactive'
- cclist << "dev@#{item['mail_list']}.apache.org".untaint
+ cclist << "dev@#{item['mail_list']}.apache.org"
elsif item[:attach] =~ /^[A-Z]+/
- cclist << "private@#{item['mail_list']}.apache.org".untaint
+ cclist << "private@#{item['mail_list']}.apache.org"
else
- cclist << "#{item['mail_list']}@apache.org".untaint
+ cclist << "#{item['mail_list']}@apache.org"
end
end
# construct email
mail = Mail.new do
from from
- to "#{item['owner']} <#{item['chair_email']}>".untaint
+ to "#{item['owner']} <#{item['chair_email']}>"
cc cclist unless cclist.empty?
- subject subject.untaint
+ subject subject
- body message.untaint
+ body message
end
# deliver mail
diff --git a/www/committers/tm-report.cgi b/www/committers/tm-report.cgi
index 207bbae..54faac0 100755
--- a/www/committers/tm-report.cgi
+++ b/www/committers/tm-report.cgi
@@ -193,11 +193,11 @@ end
# Mail this report and alert user
def send_form(formdata: {})
# Build the mail to be sent
- frm = formdata['reporteremail'].untaint
+ frm = formdata['reporteremail']
subject = "[FORM] Misuse Report about #{formdata['project']}"
pmc_list = ASF::Committee.find(formdata['project']).mail_list
- cc_list = ["private@#{pmc_list}.apache.org".untaint, frm]
- to_list = BRANDLIST.untaint
+ cc_list = ["private@#{pmc_list}.apache.org", frm]
+ to_list = BRANDLIST
if true # TESTING mode
to_list = "asf@shanecurcuru.org"
@@ -207,7 +207,7 @@ def send_form(formdata: {})
ASF::Mail.configure
mail = Mail.new do
from frm
- return_path BRANDLIST.untaint
+ return_path BRANDLIST
to to_list
cc cc_list
end
diff --git a/www/officers/surveys.cgi b/www/officers/surveys.cgi
index 969c4c2..6540d02 100755
--- a/www/officers/surveys.cgi
+++ b/www/officers/surveys.cgi
@@ -61,7 +61,7 @@ end
# @param hash containing [SURVEY][FORM] => entire survey layout
def display_survey(survey_layout)
warning = false
- survey_file = get_survey_path(survey_layout[SURVEY][:datafile]).untaint
+ survey_file = get_survey_path(survey_layout[SURVEY][:datafile])
if survey_layout.has_key?(ERRORS)
display_alert(lead: 'Error: could not load survey layout!', body: "#{survey_layout[ERRORS]} Contact the survey owner: #{survey_layout[SURVEY][CONTACT]}.")
elsif File.file?(survey_file)
@@ -107,7 +107,7 @@ end
# Handle POST submission (checkout survey data, add user's submission, checkin file)
# @return true if we think it succeeded; false in all other cases
def submit_survey(formdata: {})
- filename = get_survey_path(formdata[:datafile]).untaint
+ filename = get_survey_path(formdata[:datafile])
formdata.delete(:datafile) # Remove before generating output
submission_data = JSON.pretty_generate(formdata) + "\n"
_div.well do
@@ -117,7 +117,6 @@ def submit_survey(formdata: {})
rc = 999 # Ensure it's a bogus value
Dir.mktmpdir do |tmpdir|
- tmpdir.untaint
ASF::SVN.svn_('checkout',[get_survey_root(), tmpdir],_,{depth: 'files', user: $USER, password: $PASSWORD})
survey_data = JSON.parse(File.read(filename), :symbolize_names => true)
@@ -178,7 +177,7 @@ def get_survey_layout(query)
data[PARAMS] = params
filename = get_survey_path(params['survey'])
begin
- data[SURVEY] = JSON.parse(File.read(filename.untaint), :symbolize_names => true) # TODO: Security, ensure user should have access
+ data[SURVEY] = JSON.parse(File.read(filename), :symbolize_names => true) # TODO: Security, ensure user should have access
rescue StandardError => e
data[ERRORS] = "**ERROR:#{__method__}(#{query}, #{filename}) #{e.message}**\n\n #{e.backtrace.join("\n ")}"
end
diff --git a/www/roster/views/actions/appgroup.json.rb b/www/roster/views/actions/appgroup.json.rb
index 1d5d310..fea7a68 100644
--- a/www/roster/views/actions/appgroup.json.rb
+++ b/www/roster/views/actions/appgroup.json.rb
@@ -25,7 +25,7 @@ if env.password
# construct email
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
+ from "#{from.public_name} <#{...@apache.org>"
to "root@apache.org"
subject "#{person.public_name} #{action} #{list}"
body "Current roster can be found at:\n\n" +
diff --git a/www/roster/views/actions/authgroup.json.rb b/www/roster/views/actions/authgroup.json.rb
index 618f359..0e25d09 100644
--- a/www/roster/views/actions/authgroup.json.rb
+++ b/www/roster/views/actions/authgroup.json.rb
@@ -28,7 +28,7 @@ if env.password
to << person unless to.include? person
to.delete from unless to.length == 1
to = to.map do |person|
- "#{person.public_name} <#{...@apache.org>".untaint
+ "#{person.public_name} <#{...@apache.org>"
end
# replace with sending to the private@pmc list if this is a pmc owned group
@@ -43,7 +43,7 @@ if env.password
# construct email
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
+ from "#{from.public_name} <#{...@apache.org>"
to to
bcc "root@apache.org"
subject "#{person.public_name} #{action} #{list}"
diff --git a/www/roster/views/actions/committee.json.rb b/www/roster/views/actions/committee.json.rb
index e05b5c6..9bd7c0e 100644
--- a/www/roster/views/actions/committee.json.rb
+++ b/www/roster/views/actions/committee.json.rb
@@ -37,7 +37,7 @@ if env.password
# update committee-info.txt
if @targets.include? 'info'
- message = "#{@project} #{@action == 'add' ? '+' : '-'}= #{who}".untaint
+ message = "#{@project} #{@action == 'add' ? '+' : '-'}= #{who}"
ASF::SVN.updateCI message, env do |contents|
contents = ASF::Committee.update_roster(contents, @project, people, @action)
contents
@@ -60,15 +60,15 @@ if env.password
details << "#{pmc.dn};attr=member" if @targets.include? 'commit'
cc = people.map do |person|
- "#{person.public_name.inspect} <#{...@apache.org>".untaint
+ "#{person.public_name.inspect} <#{...@apache.org>"
end
from = ASF::Person.find(env.user)
# draft email
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
- to "private@#{pmc.mail_list}.apache.org".untaint
+ from "#{from.public_name} <#{...@apache.org>"
+ to "private@#{pmc.mail_list}.apache.org"
cc cc
bcc "root@apache.org"
subject "#{who} #{action} #{pmc.display_name} #{list}"
diff --git a/www/roster/views/actions/memstat.json.rb b/www/roster/views/actions/memstat.json.rb
index 02dfcba..193ccf4 100644
--- a/www/roster/views/actions/memstat.json.rb
+++ b/www/roster/views/actions/memstat.json.rb
@@ -3,13 +3,13 @@ require 'wunderbar'
user = ASF::Person.find(@userid)
entry = user.members_txt(true)
raise Exception.new("Unable to find member entry for #{@userid}") unless entry
-USERID = user.id.dup.untaint # might be frozen
-USERMAIL = "#{USERID}@apache.org".untaint
-USERNAME = user.cn.untaint
-TIMESTAMP = (DateTime.now.strftime "%Y-%m-%d %H:%M:%S").untaint
+USERID = user.id
+USERMAIL = "#{USERID}@apache.org"
+USERNAME = user.cn
+TIMESTAMP = (DateTime.now.strftime "%Y-%m-%d %H:%M:%S")
# identify file to be updated
-members_txt = ASF::SVN.svnpath!('foundation', 'members.txt').untaint
+members_txt = ASF::SVN.svnpath!('foundation', 'members.txt')
# construct commit message
message = "Action #{@action} for #{USERID}"
@@ -69,7 +69,7 @@ if @action == 'rescind_emeritus'
elsif @action == 'request_emeritus'
# Create emeritus request and send acknowlegement mail from secretary
template, err =
- ASF::SVN.svn('cat', ASF::SVN.svnpath!('foundation', 'emeritus-request.txt').untaint, {env:env})
+ ASF::SVN.svn('cat', ASF::SVN.svnpath!('foundation', 'emeritus-request.txt'), {env:env})
raise RuntimeError.new("Failed to read emeritus-request.txt: " + err) unless template
centered_id = "#{USERID}".center(55, '_')
centered_name = "#{USERNAME}".center(55, '_')
@@ -82,9 +82,9 @@ elsif @action == 'request_emeritus'
.gsub('Signed: __________________________________________________________',
'Signed by validated user at: ________Whimsy www/committer_________')
.gsub('Date: _________________________________',
- ('Date: _______' + centered_date)).untaint
+ ('Date: _______' + centered_date))
# Write the emeritus request to emeritus-requests-received
- EMERITUS_REQUEST_URL = ASF::SVN.svnpath!('emeritus-requests-received').untaint
+ EMERITUS_REQUEST_URL = ASF::SVN.svnpath!('emeritus-requests-received')
rc = ASF::SVN.create_(EMERITUS_REQUEST_URL, "#{USERID}.txt", signed_request, "Emeritus request from #{USERNAME} (#{USERID})", env, _)
if rc == 0
ASF::Mail.configure
diff --git a/www/roster/views/actions/nonpmc.json.rb b/www/roster/views/actions/nonpmc.json.rb
index c0626f2..1900ec1 100644
--- a/www/roster/views/actions/nonpmc.json.rb
+++ b/www/roster/views/actions/nonpmc.json.rb
@@ -37,7 +37,7 @@ if env.password
# update committee-info.txt
if @targets.include? 'info'
- message = "#{@project} #{@action == 'add' ? '+' : '-'}= #{who}".untaint
+ message = "#{@project} #{@action == 'add' ? '+' : '-'}= #{who}"
ASF::SVN.updateCI message, env do |contents|
contents = ASF::Committee.update_roster(contents, @project, people, @action)
contents
@@ -61,16 +61,16 @@ if env.password
details << "#{pmc.dn};attr=member" if @targets.include? 'commit'
cc = people.map do |person|
- "#{person.public_name.inspect} <#{...@apache.org>".untaint
+ "#{person.public_name.inspect} <#{...@apache.org>"
end
from = ASF::Person.find(env.user)
# draft email
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
+ from "#{from.public_name} <#{...@apache.org>"
# TODO the email address may need fixing
- to "private@#{pmc.mail_list}.apache.org".untaint
+ to "private@#{pmc.mail_list}.apache.org"
cc cc
bcc "root@apache.org"
subject "#{who} #{action} #{pmc.display_name} #{list}"
diff --git a/www/roster/views/actions/ppmc.json.rb b/www/roster/views/actions/ppmc.json.rb
index d27251f..01dbe55 100644
--- a/www/roster/views/actions/ppmc.json.rb
+++ b/www/roster/views/actions/ppmc.json.rb
@@ -86,8 +86,8 @@ if env.password
# update podlings.xml
if @targets.include? 'mentor'
- path = File.join(ASF::SVN.svnurl('incubator-content'), 'podlings.xml').untaint
- msg = "#{@project} #{target} #{@action == 'add' ? '+' : '-'}= #{who}".untaint
+ path = File.join(ASF::SVN.svnurl('incubator-content'), 'podlings.xml')
+ msg = "#{@project} #{target} #{@action == 'add' ? '+' : '-'}= #{who}"
ASF::SVN.update(path, msg, env, _, {}) do |tmpdir, podlings|
pre = /<podling[^>]* resource="#{@project}".*?<\/podling>/m
@@ -124,7 +124,7 @@ if env.password
# draft email
if @targets == ['icommit']
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
+ from "#{from.public_name} <#{...@apache.org>"
to 'private@incubator.apache.org'
bcc 'root@apache.org'
subject "#{who} #{action} incubator #{target}"
@@ -136,7 +136,7 @@ if env.password
ppmc = ASF::Podling.find(@project)
cc = people.map do |person|
- "#{person.public_name.inspect} <#{...@apache.org>".untaint
+ "#{person.public_name.inspect} <#{...@apache.org>"
end
if ppmc.private_mail_list != 'private@incubator.apache.org'
@@ -144,8 +144,8 @@ if env.password
end
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
- to ppmc.private_mail_list.untaint
+ from "#{from.public_name} <#{...@apache.org>"
+ to ppmc.private_mail_list
cc cc
bcc 'root@apache.org'
subject "#{who} #{action} #{ppmc.display_name} #{target}"
diff --git a/www/roster/views/actions/service.json.rb b/www/roster/views/actions/service.json.rb
index 2a40640..c8ad501 100644
--- a/www/roster/views/actions/service.json.rb
+++ b/www/roster/views/actions/service.json.rb
@@ -28,7 +28,7 @@ if env.password
to << person unless to.include? person
to.delete from unless to.length == 1
to = to.map do |person|
- "#{person.public_name} <#{...@apache.org>".untaint
+ "#{person.public_name} <#{...@apache.org>"
end
# other committees
@@ -37,7 +37,7 @@ if env.password
# construct email
mail = Mail.new do
- from "#{from.public_name} <#{...@apache.org>".untaint
+ from "#{from.public_name} <#{...@apache.org>"
to to
bcc "root@apache.org"
subject "#{person.public_name} #{action} #{list}"
diff --git a/www/secretary/workbench/models/message.rb b/www/secretary/workbench/models/message.rb
index 4e27b9b..67043aa 100644
--- a/www/secretary/workbench/models/message.rb
+++ b/www/secretary/workbench/models/message.rb
@@ -175,7 +175,7 @@ class Message
attachments += attachments.pop.to_a if Hash === attachments.last
if attachments.flatten.length == 1
- ext = File.extname(attachments.first).downcase.untaint
+ ext = File.extname(attachments.first).downcase
find(attachments.first).write_svn(repos, filename + ext)
else
# validate filename
@@ -184,7 +184,7 @@ class Message
end
# create directory, if necessary
- dest = File.join(repos, filename).untaint
+ dest = File.join(repos, filename)
unless File.exist? dest
Kernel.system 'svn', 'mkdir', dest
end
@@ -213,7 +213,7 @@ class Message
att = find(name)
path = File.join(tmpdir, name)
att.write_path(path)
- files << [name, path, att.content_type.untaint]
+ files << [name, path, att.content_type]
end
files
@@ -323,9 +323,9 @@ class Message
end
# reformat and untaint email addresses
- mail[:to] = to.map {|addr| addr.format.dup.untaint}
- mail[:cc] = cc.map {|addr| addr.format.dup.untaint} unless cc.empty?
- mail[:bcc] = bcc.map {|addr| addr.format.dup.untaint} unless bcc.empty?
+ mail[:to] = to.map {|addr| addr.format}
+ mail[:cc] = cc.map {|addr| addr.format} unless cc.empty?
+ mail[:bcc] = bcc.map {|addr| addr.format} unless bcc.empty?
# return the resulting email
mail
diff --git a/www/secretary/workbench/personalize.rb b/www/secretary/workbench/personalize.rb
index fb07321..dfad942 100644
--- a/www/secretary/workbench/personalize.rb
+++ b/www/secretary/workbench/personalize.rb
@@ -15,17 +15,17 @@ class Wunderbar::JsonBuilder
}
sec = secs[user]
if sec
- @from = "#{sec[:name]} <#{...@apache.org>".untaint
+ @from = "#{sec[:name]} <#{...@apache.org>"
@sig = %{
--
#{sec[:name]}
#{sec[:office]}, Apache Software Foundation
- }.untaint
+ }
else
person = ASF::Person.find(user)
- @from = "#{person.public_name} <#{...@apache.org>".untaint
+ @from = "#{person.public_name} <#{...@apache.org>"
@sig = %{
--
#{person.public_name}