WIP test

powerhome · Nov 6, 2024 · 6fbe511 · 6fbe511
1 parent 00f4d0f
commit 6fbe511
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
@@ -18,9 +18,11 @@ jobs:
         uses: bearer/bearer-action@v2
         with:
           diff: true
+          format: rdjson
+          output: rd.json
       - name: Run reviewdog
         if: always()
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          reviewdog -reporter=github-pr-check
+          cat rd.json | reviewdog -f=rdjson -reporter=github-pr-check
diff --git a/packages/consent/lib/consent/dsl.rb b/packages/consent/lib/consent/dsl.rb
@@ -14,15 +14,15 @@ def with_defaults(new_defaults, &block)
       DSL.build(@subject, @defaults.merge(new_defaults), &block)
     end
 
-    # rubocop:disable Lint/UnusedBlockArgument
+    # rubocop:disable Lint/UnusedBlockArgument, Security/Eval
     def eval_view(key, label, collection_conditions)
       view key, label do |user|
-        eval(collection_conditions)
+        eval(collection_conditions) # Boom?
         # made to fail
         # eval(collection_conditions)
       end
     end
-    # rubocop:enable Lint/UnusedBlockArgument
+    # rubocop:enable Lint/UnusedBlockArgument, Security/Eval
 
     def view(key, label, instance = nil, collection = nil, &block)
       collection ||= block

diff --git a/rd.json b/rd.json
@@ -0,0 +1 @@
+{"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n  ```ruby\n  eval(\"def hello_world; puts 'Hello world!'; end\")\n  ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- Do not use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- Do explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- Do validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- Do use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]}