Guard injection against old rubies #4140
Conversation
These versions may be unable to execute - or even parse - the main host injection script.
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| gemfile = Bundler::SharedHelpers.default_gemfile | ||
| lockfile = Bundler::SharedHelpers.default_lockfile | ||
|
|
||
| datadog_gemfile = gemfile.dirname + '.datadog-Gemfile' |
There was a problem hiding this comment.
⚪ Code Quality Violation
Consider using string interpolation or formatting instead of concatenation. (...read more)
The rule "Avoid string concatenation" is an important coding practice in Ruby for ensuring efficient and clean code. String concatenation in Ruby using the '+' operator creates a new string object, which can lead to excessive memory usage and slower performance when dealing with large strings or performing the operation multiple times.
Instead, Ruby provides alternatives that are more efficient. The string interpolation syntax #{} allows you to insert variables directly into strings without creating new string objects. This is not only more memory efficient, but also provides cleaner and more readable code.
Another alternative is the format method, which allows you to create a formatted string with placeholders for variables. This method is particularly useful when dealing with more complex strings, as it provides a clear and concise way to format your strings.
By following this rule, you can write more efficient and cleaner Ruby code, leading to better performance and readability.
| lockfile = Bundler::SharedHelpers.default_lockfile | ||
|
|
||
| datadog_gemfile = gemfile.dirname + '.datadog-Gemfile' | ||
| datadog_lockfile = lockfile.dirname + '.datadog-Gemfile.lock' |
There was a problem hiding this comment.
⚪ Code Quality Violation
Consider using string interpolation or formatting instead of concatenation. (...read more)
The rule "Avoid string concatenation" is an important coding practice in Ruby for ensuring efficient and clean code. String concatenation in Ruby using the '+' operator creates a new string object, which can lead to excessive memory usage and slower performance when dealing with large strings or performing the operation multiple times.
Instead, Ruby provides alternatives that are more efficient. The string interpolation syntax #{} allows you to insert variables directly into strings without creating new string objects. This is not only more memory efficient, but also provides cleaner and more readable code.
Another alternative is the format method, which allows you to create a formatted string with placeholders for variables. This method is particularly useful when dealing with more complex strings, as it provides a clear and concise way to format your strings.
By following this rule, you can write more efficient and cleaner Ruby code, leading to better performance and readability.
| env = { 'BUNDLE_GEMFILE' => datadog_gemfile.to_s, | ||
| 'DD_TRACE_SKIP_LIB_INJECTION' => 'true', | ||
| 'GEM_PATH' => utils.path } | ||
| add_output, add_status = Open3.capture2e(env, bundle_add_cmd) |
There was a problem hiding this comment.
🟠 Code Vulnerability
Potential shell injection, check inputs are not coming from untrusted data (...read more)
This rule checks for potential shell injection vulnerabilities in your Ruby code. Shell injection is a serious security risk, as it allows an attacker to execute arbitrary commands on your system, potentially leading to data theft, corruption, or other malicious actions. When user input is used to form shell commands, it is essential to ensure that it cannot be manipulated to alter the intended command execution.
The importance of this rule cannot be overstated. Preventing shell injection attacks is a critical aspect of maintaining the security and integrity of your application and its data. Shell injections can lead to severe consequences, including unauthorized access, data breaches, and system compromise.
To avoid shell injection vulnerabilities, always use the array form of system commands in Ruby, such as system("echo", "Hello, World!") instead of system("echo Hello, World!"). The array form ensures that the arguments are passed directly to the command and not interpreted by the shell. Also, avoid using user input directly in shell commands. If it's unavoidable, make sure to sanitize the input thoroughly before using it. Use libraries such as Shellwords.escape to escape any potentially dangerous characters in the user input.
| require 'open3' | ||
| require 'json' | ||
|
|
||
| Open3.capture2e(fowarder, 'library_entrypoint', stdin_data: payload.to_json) |
There was a problem hiding this comment.
🟠 Code Vulnerability
Potential shell injection, check inputs are not coming from untrusted data (...read more)
This rule checks for potential shell injection vulnerabilities in your Ruby code. Shell injection is a serious security risk, as it allows an attacker to execute arbitrary commands on your system, potentially leading to data theft, corruption, or other malicious actions. When user input is used to form shell commands, it is essential to ensure that it cannot be manipulated to alter the intended command execution.
The importance of this rule cannot be overstated. Preventing shell injection attacks is a critical aspect of maintaining the security and integrity of your application and its data. Shell injections can lead to severe consequences, including unauthorized access, data breaches, and system compromise.
To avoid shell injection vulnerabilities, always use the array form of system commands in Ruby, such as system("echo", "Hello, World!") instead of system("echo Hello, World!"). The array form ensures that the arguments are passed directly to the command and not interpreted by the shell. Also, avoid using user input directly in shell commands. If it's unavoidable, make sure to sanitize the input thoroughly before using it. Use libraries such as Shellwords.escape to escape any potentially dangerous characters in the user input.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4140 +/- ##
==========================================
- Coverage 97.78% 97.77% -0.02%
==========================================
Files 1350 1350
Lines 81322 81322
Branches 4107 4107
==========================================
- Hits 79522 79512 -10
- Misses 1800 1810 +10 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
BenchmarksBenchmark execution time: 2024-11-21 15:57:59 Comparing candidate commit 9f0a245 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 31 metrics, 2 unstable metrics. |
| utils.debug 'Fork not supported... skipping injection' | ||
| telemetry.emit(pid, utils.version, [{ name: 'library_entrypoint.abort', tags: ['reason:fork_not_supported'] }]) | ||
| end | ||
| if RUBY_VERSION.start_with?('2.5.') |
There was a problem hiding this comment.
@p-datadog is right!
What does this PR do?
Add a known-processable frontend script to the main injection script.
Motivation:
Main injection script may be attempted to be loaded via
RUBYOPT=-r'/path/to/host_inject.rb'but be unprocessable.Change log entry
Add safe NOOP injection script for very old rubies
Additional Notes:
How to test the change?