Ability to skip parsing a statement, particularly an eval_gemfile

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.55k stars 954 forks source link

Ability to skip parsing a statement, particularly an eval_gemfile #2098

Open lamont-granquist opened 4 years ago

lamont-granquist commented 4 years ago

We have this our Gemfile in order to let devs add debugging gems (for very complicated reasons we cannot just agree to set a debugging gems and include the globally into a group):

# If you want to load debugging tools into the bundle exec sandbox,
# add these additional dependencies into Gemfile.local
eval_gemfile("./Gemfile.local") if File.exist?("./Gemfile.local")

I got rid of the old string interpolation that was present there, but dependabot still complains now that it can't find Gemfile.local.

What I'd like to be able to do is just tell dependabot to completely ignore that line:

# If you want to load debugging tools into the bundle exec sandbox,
# add these additional dependencies into Gemfile.local
eval_gemfile("./Gemfile.local") if File.exist?("./Gemfile.local") # dependabot:ignore

We have some other context dependent lines in our Gemfiles that might need to be skipped as well (and it might be useful to be able to skip entire blocks of code with something like # dependabot:ignore:start and # dependabot:ignore:end or something like that.

rebelagentm commented 4 years ago

@feelepxyz I remember looking at something like this with you in the past. But I don't recall if this particular scenario is still restricted for security reasons.

lamont-granquist commented 4 years ago

Wasn't me, it was actually @tas50 but yeah, we work together.

I think that eval_gemfile is restricted for security reasons. But that's why I want a magic comment to make your parser just skip this line like it wasn't there. We don't need you parsing it and don't need to expose you to the security hole (I want you to behave just like the whole line was commented out)

rebelagentm commented 4 years ago

My apologies. I misunderstood your original post. We definitely like the idea of adding helpful features. But the team is pretty swamped right now scaling Dependabot for the GitHub integration, so it may be a while before we can get to doing this.

feelepxyz commented 4 years ago

@lamont-granquist @rebelagentm yeah it's currently restricted to prevent untrusted code from executing when we parse the gemfile. We should probably add explicit support for this conditional require pattern instead of an ignore comment. Would love any help implementing this as we're pretty swamped at the moment.

I think we'll want to ignore any eval_gemfiles that are wrapped inside an if statement here: https://github.com/dependabot/dependabot-core/blob/master/bundler/lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb

imaizume commented 4 years ago

As reported above, dependabot can't interpret my Gemfile neither.

# frozen_string_literal: true
source "https://rubygems.org"

gem 'cocoapods', '~> 1.8.0'
gem 'fastlane', '~> 2.148.0'
gem 'dotenv'

plugins_path = File.join(File.dirname(__FILE__), 'fastlane', 'Pluginfile')
eval_gemfile(plugins_path) if File.exist?(plugins_path)

Failure message:

Dependabot only supports uninterpolated string arguments to eval_gemfile. Got `plugins_path`

I think we'll want to ignore any eval_gemfiles that are wrapped inside an if statement here:

Like @feelepxyz said, I hope it will come soon.

nic-lan commented 3 years ago

I confirm that also the following does not succeed.

gemfile_shared_path = ENV.fetch('GEMFILE_SHARED_PATH', './Gemfile.shared')
eval_gemfile(gemfile_shared_path)

Dependabot only supports uninterpolated string arguments to eval_gemfile. Got plugins_path

:-(

any update about this ?

jurre commented 3 years ago

What I'd like to be able to do is just tell dependabot to completely ignore that line:

You can probably do this:

eval_gemfile("./Gemfile.local") if ENV["GEMFILE_LOCAL"]

It'll evaluate to false, and Gemfile.local will not be included. But that will require you to set that env variable locally, so it's not great.

hs-mniagolov commented 2 years ago

As reported above, dependabot can't interpret my Gemfile neither.
# frozen_string_literal: true
source "https://rubygems.org"

gem 'cocoapods', '~> 1.8.0'
gem 'fastlane', '~> 2.148.0'
gem 'dotenv'

plugins_path = File.join(File.dirname(__FILE__), 'fastlane', 'Pluginfile')
eval_gemfile(plugins_path) if File.exist?(plugins_path)
Failure message:
Dependabot only supports uninterpolated string arguments to eval_gemfile. Got `plugins_path`
I think we'll want to ignore any eval_gemfiles that are wrapped inside an if statement here:

Like @feelepxyz said, I hope it will come soon.

Did you manage to bypass this? one year later I still have the same problem

patrickm-psn commented 2 years ago

Just wondering has this issue being resolved or any recommended approach to bypass?

caiodias commented 2 years ago

I'm facing the same issue too

github-actions[bot] commented 2 months ago

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

ekohl commented 2 months ago

I'm still hoping this gets resolved.