You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by Sam Ruby <ru...@intertwingly.net> on 2020/12/29 19:36:52 UTC
ruby2js and ruby2.7
First, a link to the line of code in question:
https://github.com/apache/whimsy/blob/9b1bd40e277969936f7b8138efb70b0ef28416f6/www/roster/views/committers.html.rb#L28
Questions: is this still necessary, or is is moot given the direction to
make ICLAs private? If necessary, can it be done via an @variable
rather than backtics?
---
Background. Prior to Ruby 2.7, with $SAFE and taint support, one could
detect whether a given string contained unverified user input. Starting
with Ruby 2.7, this became impossible.
Ruby2JS has the ability to evaluate an arbitrary string in the host
context, which could be very unsafe (consider "system rm -rf /"). I
made a change to only allow this if a binding is specified as an option
(not recommended, but possible).
https://github.com/ruby2js/ruby2js/commit/704f1a5c20485414f1831938b0a4364a83fa1538
I did this only after scanning all of the whimsy .js.rb files. What I
missed is that this was used in an html file with an embedded script.
If this is still necessary, I would recommend it be done by evaluating a
host instance variable (@ivar) rather than evaluating an arbitrary
method call.
---
Footnote: if you view source on
https://whimsy.apache.org/roster/committee/whimsy and scroll to the
bottom, you can see instance variables expanded (you will see, for
example, auth with your id).
If, however, you view source on
https://whimsy.apache.org/roster/committer/, you will see icla path
evaluated, but will not see that notinavail expanded (instead you will
see this._notinavail, i.e., evaluation of an instance variable inside of
a JavaScript class). I'm not sure yet what is going on here.
- Sam Ruby
Re: ruby2js and ruby2.7
Posted by sebb <se...@gmail.com>.
On Tue, 29 Dec 2020 at 21:37, sebb <se...@gmail.com> wrote:
>
> On Tue, 29 Dec 2020 at 19:37, Sam Ruby <ru...@intertwingly.net> wrote:
> >
> > First, a link to the line of code in question:
> >
> > https://github.com/apache/whimsy/blob/9b1bd40e277969936f7b8138efb70b0ef28416f6/www/roster/views/committers.html.rb#L28
> >
> > Questions: is this still necessary, or is is moot given the direction to
> > make ICLAs private?
> The code can/will probably be removed, but in any case ruby2js ideally
> should not crash.
> > If necessary, can it be done via an @variable
> > rather than backtics?
I have moved the variable setup to main.rb, so it no longer causes a crash.
But the links are only usable for the secretarial team.
> >
> > ---
> >
> > Background. Prior to Ruby 2.7, with $SAFE and taint support, one could
> > detect whether a given string contained unverified user input. Starting
> > with Ruby 2.7, this became impossible.
> >
> > Ruby2JS has the ability to evaluate an arbitrary string in the host
> > context, which could be very unsafe (consider "system rm -rf /"). I
> > made a change to only allow this if a binding is specified as an option
> > (not recommended, but possible).
> >
> > https://github.com/ruby2js/ruby2js/commit/704f1a5c20485414f1831938b0a4364a83fa1538
> >
> > I did this only after scanning all of the whimsy .js.rb files. What I
> > missed is that this was used in an html file with an embedded script.
> >
> > If this is still necessary, I would recommend it be done by evaluating a
> > host instance variable (@ivar) rather than evaluating an arbitrary
> > method call.
> >
> > ---
> >
> > Footnote: if you view source on
> > https://whimsy.apache.org/roster/committee/whimsy and scroll to the
> > bottom, you can see instance variables expanded (you will see, for
> > example, auth with your id).
> > If, however, you view source on
> > https://whimsy.apache.org/roster/committer/, you will see icla path
> > evaluated, but will not see that notinavail expanded (instead you will
> > see this._notinavail, i.e., evaluation of an instance variable inside of
> > a JavaScript class). I'm not sure yet what is going on here.
> >
> > - Sam Ruby
> >
Re: ruby2js and ruby2.7
Posted by sebb <se...@gmail.com>.
On Tue, 29 Dec 2020 at 19:37, Sam Ruby <ru...@intertwingly.net> wrote:
>
> First, a link to the line of code in question:
>
> https://github.com/apache/whimsy/blob/9b1bd40e277969936f7b8138efb70b0ef28416f6/www/roster/views/committers.html.rb#L28
>
> Questions: is this still necessary, or is is moot given the direction to
> make ICLAs private?
The code can/will probably be removed, but in any case ruby2js ideally
should not crash.
> If necessary, can it be done via an @variable
> rather than backtics?
>
> ---
>
> Background. Prior to Ruby 2.7, with $SAFE and taint support, one could
> detect whether a given string contained unverified user input. Starting
> with Ruby 2.7, this became impossible.
>
> Ruby2JS has the ability to evaluate an arbitrary string in the host
> context, which could be very unsafe (consider "system rm -rf /"). I
> made a change to only allow this if a binding is specified as an option
> (not recommended, but possible).
>
> https://github.com/ruby2js/ruby2js/commit/704f1a5c20485414f1831938b0a4364a83fa1538
>
> I did this only after scanning all of the whimsy .js.rb files. What I
> missed is that this was used in an html file with an embedded script.
>
> If this is still necessary, I would recommend it be done by evaluating a
> host instance variable (@ivar) rather than evaluating an arbitrary
> method call.
>
> ---
>
> Footnote: if you view source on
> https://whimsy.apache.org/roster/committee/whimsy and scroll to the
> bottom, you can see instance variables expanded (you will see, for
> example, auth with your id).
> If, however, you view source on
> https://whimsy.apache.org/roster/committer/, you will see icla path
> evaluated, but will not see that notinavail expanded (instead you will
> see this._notinavail, i.e., evaluation of an instance variable inside of
> a JavaScript class). I'm not sure yet what is going on here.
>
> - Sam Ruby
>