Allow component modules to be loaded from any path

[jrha]

Remove hasFile method which artificially restricts the paths which component modules can be loaded from, allowing loading from any valid path in @INC.

This allows component modules to be placed in a location appropriate for each operating system environments we target.

This change breaks backwards compatability by:

• Removing the file? column from the output of reportComponents
  • Used by ncm-ncd --list/quattor-list so could potentially be being parsed by someone.
• Removing hasFile entirely.
• Removing getComponentFilename entirely.
• Allowing modules to be loaded from other paths.
  • Potentially resulting in different/unexpected versions of code being run.

Resolves #116.

[stdweird]

@jrha i don't know the original reason not to use the perl system path, but this is against that (obviously).

it also allows to pick up any component from PERL5LIB env variable, not sure that is an issue.

we can probably add a restriction to also consider the perl builtin INC paths, and not only /usr/lib/perl

also, please add unittests

[jrha]

I guess @piojo might have some insight into the benefits of path restrictions, I assumed that these were just kludges left over from pre EL6 days. I'll sort out the tests later, just wanted to get this out so we could discuss it.

[jrha]

Make sure I squash these commits before this gets merged.

[stdweird]

we agreed during the workshop of april 2018 to allow this, and this will be merged once reviewed

[stdweird]

@jrha just a minor remark, this is otherwise good to go

[jrha]

Well I broke it, will try and figure out what I did later.

[jrha]

@hpcugentbot please retest this please

[jrha]

Removed the test checking an internal function before the component was initialised - was causing the test failures.

[jrha]

@stdweird could you re-review this when you have a moment? :innocent:

[stdweird]

@ned21 @jouvin i'll let you merge this so you aware of this new behaviour @jrha thx for fixing this!

[ned21]

I suspect this was originally in place because of CVE-2016-1238 https://rt.perl.org/Public/Bug/Display.html?id=127834 has more details but it's related to . in @INC. So I'm not sure we can or should trust @INC even in EL7.

Can we block any modules being loaded from . before merging this?

[stdweird]

@ned21 you want that filtered here? i tought we already did this in the client tools (because otherwise you could load NCM::Component etc from .)?

[ned21]

I thought I remembered that conversation too. So maybe that mitigation means it's now safe to remove from here? Can we confirm where the protection is now implemented and get that documented either inline as a comment or in the commit log?

[stdweird]

@ned21 for ncm-ncd this was done in https://github.com/quattor/ncm-ncd/pull/123/commits/5cfe99375bae66cd176fdad8629ae44534d4a51e

[jrha]

@stdweird @ned21 commit message updated with explanation about CVE-2016-1238