-
-
Notifications
You must be signed in to change notification settings - Fork 254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for non-Python post-write hooks #1275
Comments
OK. I see the use case here, though I wish "ruff" was better integrated in Python (for example, it can't run flake8 plugins, which is why I cant use it). But since this has "path to executable" and "exec" in it, convince me nobody is going to report CVEs against this - let's be creative. What are they going to come up with ? "someone writes a program that generates alembic configs on the fly" - that would be silly. There are folks who literally do code searches looking for "exec" and "eval" calls in code so they can post frivolous CVEs. Just got an almost CVE the other day because someone was using a traceback tool that dumped all the variables in each frame in the traceback into the logs - so what happens when their database wont connect? the "password" variable is in the stackframe, yes it's cleartext because we have to send it to Sorry for the rant! This has to be watertight against CVEs. |
Ruff does support lots of popular plugins' tests out of the box, but they're all ported to Rust for speed, as it's one of its main goals. I do appreciate the concern about CVEs, but I'm really not in a position to do a proper full security audit of a feature like that. I just figured that if I'm asking for a feature it's only fair to offer an implementation, but I definitely don't have the credentials to take responsibility for any CVEs found there. |
OK now that it's a new day let me restate what i mean. I was not asking you to take responsibility for CVEs found later - if I was, then we can just merge this and CVEs would be on you to fix :) . Instead, by contributing this code to Alembic, it will be on me to respond to CVEs. Once we merge this, while we appreciate more help from you if needed, technically you'd be done :). So what I am asking is this. verbiage in response to this dialogue: Interviewer: So what's your code contribution? Now it seems like I just answered my own question, which I did, however, since I have not been close to this code in some years I'm looking for a quick "what am I missing?" on that response. cc @CaselIT can you take a look? |
The change seem mostly ok. Regarding possibility for cve, I'm not sure it's any worse that what we have now, since console script already uses |
I can see how my PR expands the security scope by introducing arbitrary execution — the existing |
right, things like that. I think we should just document examples here like "/path/to/ruff" and also make sure in the test suite that's in #1276 we test an absolute path to the executable works |
I've added a unit test and documentation to the PR |
Mihail Milushev has proposed a fix for this issue in the main branch: Implement new |
1 similar comment
Mihail Milushev has proposed a fix for this issue in the main branch: Implement new |
Describe the bug
I'm using Ruff to lint and reformat my code, and I'm trying to get it working as a post-write hook in Alembic, but Ruff is actually written in Rust and is installed as a compiled binary, so it isn't included in
importlib
metadata as a console-scripts entrypoint, and Alembic throws an "Could not find entrypoint console_scripts.ruff" error.Expected behavior
There should be an out of the box write hook runner that can execute arbitrary binaries, and not just the
console-scripts
runner that only supports Python modules' entrypoints.To Reproduce
Install Ruff:
Confirm that the
ruff
binary is in path and can be executed:In
alembic.ini
:Error
Versions.
Additional context
Have a nice day!
The text was updated successfully, but these errors were encountered: