From 31d0eeeaec6e6745fc831ea2da53c9db83d72602 Mon Sep 17 00:00:00 2001 From: Josh Cooper Date: Thu, 28 Jun 2018 11:16:45 -0700 Subject: Don't eval strings Previously we were using eval to convert stringified arrays from the manifest into a ruby array. Use JSON instead, and ensure values are double quoted as required by JSON. --- lib/puppet/provider/augeas/augeas.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'lib/puppet') diff --git a/lib/puppet/provider/augeas/augeas.rb b/lib/puppet/provider/augeas/augeas.rb index 17879d3..05183e5 100644 --- a/lib/puppet/provider/augeas/augeas.rb +++ b/lib/puppet/provider/augeas/augeas.rb @@ -18,6 +18,7 @@ require 'strscan' require 'puppet/util' require 'puppet/util/diff' require 'puppet/util/package' +require 'json' Puppet::Type.type(:augeas).provide(:augeas) do include Puppet::Util @@ -280,7 +281,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do when '==' begin arg = clause_array.shift - new_array = eval arg + new_array = to_array(arg) return_value = (values == new_array) rescue fail(_('Invalid array in command: %{cmd}') % { cmd: cmd_array.join(' ') }) @@ -288,7 +289,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do when '!=' begin arg = clause_array.shift - new_array = eval arg + new_array = to_array(arg) return_value = (values != new_array) rescue fail(_('Invalid array in command: %{cmd}') % { cmd: cmd_array.join(' ') }) @@ -336,7 +337,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do when '==' begin arg = clause_array.shift - new_array = eval arg + new_array = to_array(arg) return_value = (result == new_array) rescue fail(_('Invalid array in command: %{cmd}') % { cmd: cmd_array.join(' ') }) @@ -344,7 +345,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do when '!=' begin arg = clause_array.shift - new_array = eval arg + new_array = to_array(arg) return_value = (result != new_array) rescue fail(_('Invalid array in command: %{cmd}') % { cmd: cmd_array.join(' ') }) @@ -571,4 +572,9 @@ Puppet::Type.type(:augeas).provide(:augeas) do end end # rubocop:enable Style/GuardClause + + def to_array(string) + JSON.parse(string.tr("'", '"')) + end + private :to_array end -- cgit v1.2.3