Closed stevenjackson closed 1 year ago
Taking the "where does it end" to an extreme, is there a world where instead of leaning on bundled versions, we utilize an abstract syntax tree to try plucking out evaluations we want to care about?
I'd imagine yagni applies more than anything, so I like what you've added in the changes here. I'd say lets take it gemfile by gemfile, and I'll look forward to arriving at the place where we need a better representation of parsing valid gem names.
This feels kind of gross and a "where will it end" kind of situation.
For example, we could filter out
begin
,rescue
, etc and it still wouldn't be enough for something like this:I'm kind of ok with return UNKNOWN for
Finder.go!
, but I could imagine a version of this that defines agem
method and eval's it. But that would put a crimp on any future plans of hosting this tool since we'd be doing RCE all over the place.We could also split "Gemfile" evaluation from "no Gemfile" evaluation, they're lumped together because it was easy, but maybe not prudent.