railsbump / app

Check which gems are compatible with which Rails version!
https://railsbump.org
MIT License
166 stars 23 forks source link

Make sure that parsing Gemfiles is safe #45

Closed manuelmeurer closed 4 years ago

manuelmeurer commented 4 years ago

We should make sure that no random code can be executed when a Gemfile is parsed in app/services/gemfiles/create.rb. Maybe something like this:

sanitized_content = content.split(/\r?\n/).map(&:trim).select do |line|
  /\A(gem|source)\b/.match?(line)
end
bundler   = Bundler::Dsl.new
gem_names = bundler.eval_gemfile('', sanitized_content).map(&:name).sort - %w(rails)
etagwerker commented 4 years ago

@manuelmeurer Good point. Any good reasons why we wouldn't want to use Gemfile.lock to load the list of dependencies in an application? We have done this in another gem we created and I think it could work well: https://github.com/rubymem/bundler-leak/blob/master/lib/bundler/plumber/scanner.rb#L21

That way we could save ourselves a headache evaling user input. 😺

manuelmeurer commented 4 years ago

Great idea, @etagwerker, it works well! 👍