Add a Sensitive datatype that does nothing #247
Conversation
There was a problem hiding this comment.
To be useful, it at least needs to prevent throwing an error on such erb call:
auth.ldap.bindpw: <%= @ldap_pwd.unwrap %>
This does not work:
modified ruby/hrubyerb.rb
@@ -48,6 +48,11 @@ class Scope
vl('~g~e~t_h~a~s~h~')
end
+ def function_unwrap(args)
+ put '~u~n~w_r~a~p~'
+ args
+ end
+
def function_to_yaml(args)
args.to_yaml
end
@@ -117,4 +122,3 @@ class Controller
nerb.result(binding.get_binding)
end
end
-
Any idea ?
| DTScalar -> datatypeMatch (DTVariant (DTInteger Nothing Nothing :| [DTString Nothing Nothing, DTBoolean])) v | ||
| DTData -> datatypeMatch (DTVariant (DTScalar :| [DTArray DTData 0 Nothing, DTHash DTScalar DTData 0 Nothing])) v | ||
| DTOptional sdt -> datatypeMatch (DTVariant (DTUndef :| [sdt])) v | ||
| DTSensitive sdt -> datatypeMatch (DTVariant (DTUndef :| [sdt])) v |
There was a problem hiding this comment.
I do not think this is alright. If you want it to work "right", you should create a new datatype for the interpreter, and it should only match that.
It seems impossible to validate it properly without adding special logic. Indeed, it says:
The Sensitive type is parameterized, but the parameterized type (the type of the value it contains) only retains the basic type, but sensitive information about the length or details about the contained data value can be leaked.
There was a problem hiding this comment.
You can write a ruby to haskell binding so that it can call unwrap.
There was a problem hiding this comment.
Where do I write such binding ?
There was a problem hiding this comment.
probably in the Puppet.Runner.Erb module. Look at how the varlookup function is exported to the ruby runtime
PierreR
force-pushed
the
master
branch
2 times, most recently
from
f7eb243 to
e89c7b6
Compare
2 participants
First step for #245