search

PrivacyScore / privacyscanner

Privacyscanner is the new scanning backend component of a future PrivacyScore version
MIT License
20 stars 11 forks source link

scanner: Safely load default config #24

Open jayvdb opened 4 years ago

jayvdb commented 4 years ago

Fixes https://github.com/PrivacyScore/privacyscanner/issues/23

hprid commented 4 years ago

Thank you for the pull request. I am not sure whether this is a good fix; it might only defer the problem until someone has some hook that introduces uppercase module variables. Loading the configuration from a Python module was (more or less) just an easy way to get a readable configuration file with support for basic data structures and comments. Currently I consider changing the configuration file format to TOML, which fulfills the mentioned requirements without having any side effects due to code execution, hooks etc. Any opinions on that?

jayvdb commented 4 years ago

it might only defer the problem until someone has some hook introduces uppercase module variables

This is a vanishing/obscure small scenario.

I have 5495 packages installed in my system site-packages - almost every Python package available from openSUSE, and I have quite a large collection of packages I develop at https://build.opensuse.org/project/show/home:jayvdb:py-new , https://build.opensuse.org/project/show/home:jayvdb:django , etc

There are very few hooks in mainstream use, and people who write them either know to use dunders and peps regarding underscore prefixes for private variables, or accept it is a bug to inject variables into the exportable/public interface of other peoples modules.

I could replace .isupper() with .. != '_' and that also passes on my system.

Loading the configuration from a Python module was (more or less) just an easy way to get a readable configuration file with support for basic data structures and comments.

I fought that fight at pywikibot. Here is our singleton config module which sets defaults and loads user overrides. Very powerful, but I wouldnt go down that path again willingly. https://github.com/wikimedia/pywikibot/blob/master/pywikibot/config2.py

https://pypi.org/project/pon/ is the closest I would go to that approach, as it at least solves most of the problems of loading Python files.

Currently I consider changing the configuration file format to TOML, ..

:+1: