Merge pull request #286 from chef/security-fixes-to-release5

ashiqueps · web-flow · commit 47ef3adbb22a · 2025-05-08T14:51:23.000Z
Security fixes
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -1,4 +1,6 @@
 name: SonarQube scan
+permissions:
+  contents: read
 on:
   # Trigger analysis when pushing to your main branches, and when creating a pull request.
   push:
diff --git a/lib/chef-cli/policyfile/comparison_base.rb b/lib/chef-cli/policyfile/comparison_base.rb
@@ -43,7 +43,7 @@ def lock
           raise LockfileNotFound, "Expected lockfile at #{policyfile_lock_relpath} does not exist" unless File.exist?(policyfile_lock_relpath)
           raise LockfileNotFound, "Expected lockfile at #{policyfile_lock_relpath} cannot be read" unless File.readable?(policyfile_lock_relpath)
 
-          FFI_Yajl::Parser.parse(IO.read(policyfile_lock_relpath))
+          FFI_Yajl::Parser.parse(File.read(policyfile_lock_relpath))
         rescue FFI_Yajl::ParseError => e
           raise MalformedLockfile, "Invalid JSON in lockfile at #{policyfile_lock_relpath}:\n  #{e.message}"
         end
diff --git a/lib/chef-cli/policyfile/local_lock_fetcher.rb b/lib/chef-cli/policyfile/local_lock_fetcher.rb
@@ -102,7 +102,7 @@ def transform_path(path_to_transform)
       end
 
       def content
-        IO.read(path)
+        File.read(path)
       end
 
       def path
diff --git a/lib/chef-cli/policyfile/undo_stack.rb b/lib/chef-cli/policyfile/undo_stack.rb
@@ -109,7 +109,7 @@ def undo_file_for(id)
       end
 
       def load_undo_record(file)
-        data = FFI_Yajl::Parser.parse(IO.read(file))
+        data = FFI_Yajl::Parser.parse(File.read(file))
         UndoRecord.new.load(data)
       end
 
diff --git a/lib/chef-cli/policyfile_lock.rb b/lib/chef-cli/policyfile_lock.rb
@@ -64,7 +64,7 @@ def cookbook_version_width
       end
     end
 
-    RUN_LIST_ITEM_FORMAT = /\Arecipe\[[^\s]+::[^\s]+\]\Z/
+    RUN_LIST_ITEM_FORMAT = /\Arecipe\[([^:\s][^:\s]{0,254})::([^:\s][^:\s]{0,254})\]\Z/
 
     def self.build(storage_config)
       lock = new(storage_config)
diff --git a/lib/chef-cli/policyfile_services/export_repo.rb b/lib/chef-cli/policyfile_services/export_repo.rb
@@ -78,7 +78,7 @@ def run
       end
 
       def policy_data
-        @policy_data ||= FFI_Yajl::Parser.parse(IO.read(policyfile_lock_expanded_path))
+        @policy_data ||= FFI_Yajl::Parser.parse(File.read(policyfile_lock_expanded_path))
       rescue => error
         raise PolicyfileExportRepoError.new("Error reading lockfile #{policyfile_lock_expanded_path}", error)
       end
diff --git a/lib/chef-cli/policyfile_services/install.rb b/lib/chef-cli/policyfile_services/install.rb
@@ -69,7 +69,7 @@ def run(cookbooks_to_update = [], exclude_deps = false)
       end
 
       def policyfile_content
-        @policyfile_content ||= IO.read(policyfile_expanded_path)
+        @policyfile_content ||= File.read(policyfile_expanded_path)
       end
 
       def policyfile_compiler
@@ -81,7 +81,7 @@ def expanded_run_list
       end
 
       def policyfile_lock_content
-        @policyfile_lock_content ||= IO.read(policyfile_lock_expanded_path) if File.exist?(policyfile_lock_expanded_path)
+        @policyfile_lock_content ||= File.read(policyfile_lock_expanded_path) if File.exist?(policyfile_lock_expanded_path)
       end
 
       def policyfile_lock
diff --git a/lib/chef-cli/policyfile_services/push.rb b/lib/chef-cli/policyfile_services/push.rb
@@ -57,7 +57,7 @@ def http_client
       end
 
       def policy_data
-        @policy_data ||= FFI_Yajl::Parser.parse(IO.read(policyfile_lock_expanded_path))
+        @policy_data ||= FFI_Yajl::Parser.parse(File.read(policyfile_lock_expanded_path))
       rescue => error
         raise PolicyfilePushError.new("Error reading lockfile #{policyfile_lock_expanded_path}", error)
       end
diff --git a/lib/chef-cli/policyfile_services/push_archive.rb b/lib/chef-cli/policyfile_services/push_archive.rb
@@ -120,7 +120,7 @@ def read_policyfile_lock(staging_dir)
       end
 
       def load_policy_data(policyfile_lock_path)
-        FFI_Yajl::Parser.parse(IO.read(policyfile_lock_path))
+        FFI_Yajl::Parser.parse(File.read(policyfile_lock_path))
       end
 
       def stage_unpacked_archive
diff --git a/lib/chef-cli/policyfile_services/update_attributes.rb b/lib/chef-cli/policyfile_services/update_attributes.rb
@@ -74,15 +74,15 @@ def updated_lock?
       end
 
       def policyfile_content
-        @policyfile_content ||= IO.read(policyfile_expanded_path)
+        @policyfile_content ||= File.read(policyfile_expanded_path)
       end
 
       def policyfile_compiler
         @policyfile_compiler ||= ChefCLI::PolicyfileCompiler.evaluate(policyfile_content, policyfile_expanded_path, ui:, chef_config:)
       end
 
       def policyfile_lock_content
-        @policyfile_lock_content ||= IO.read(policyfile_lock_expanded_path)
+        @policyfile_lock_content ||= File.read(policyfile_lock_expanded_path)
       end
 
       def policyfile_lock
diff --git a/lib/chef-cli/skeletons/code_generator/recipes/cookbook_file.rb b/lib/chef-cli/skeletons/code_generator/recipes/cookbook_file.rb
@@ -13,7 +13,7 @@
 if context.content_source
 
   file cookbook_file_path do
-    content(IO.read(context.content_source))
+    content(File.read(context.content_source))
   end
 
 else
diff --git a/lib/chef-cli/skeletons/code_generator/recipes/template.rb b/lib/chef-cli/skeletons/code_generator/recipes/template.rb
@@ -18,7 +18,7 @@
 if context.content_source
 
   file template_path do
-    content(IO.read(context.content_source))
+    content(File.read(context.content_source))
   end
 
 else
diff --git a/spec/shared/custom_generator_cookbook.rb b/spec/shared/custom_generator_cookbook.rb
@@ -107,7 +107,7 @@
         FileUtils.cp_r(default_generator_cookbook_path, generator_cookbook_path)
 
         # have to update metadata with the correct name
-        IO.binwrite(metadata_file, "name 'a_generator_cookbook'")
+        File.binwrite(metadata_file, "name 'a_generator_cookbook'")
       end
 
       it "creates the new files" do
diff --git a/spec/unit/command/generator_commands/cookbook_spec.rb b/spec/unit/command/generator_commands/cookbook_spec.rb
@@ -292,7 +292,7 @@ def with_argv(argv)
           let(:file) { File.join(tempdir, "new_cookbook", "kitchen.yml") }
 
           it "creates a kitchen.yml with the expected content" do
-            expect(IO.read(file)).to eq(expected_kitchen_yml_content)
+            expect(File.read(file)).to eq(expected_kitchen_yml_content)
           end
 
         end
@@ -323,7 +323,7 @@ def with_argv(argv)
         let(:file) { File.join(tempdir, "new_cookbook", "spec", "spec_helper.rb") }
 
         it "creates a spec/spec_helper.rb for ChefSpec with the expected content" do
-          expect(IO.read(file)).to eq(expected_chefspec_spec_helper_content)
+          expect(File.read(file)).to eq(expected_chefspec_spec_helper_content)
         end
 
       end
@@ -367,7 +367,7 @@ def with_argv(argv)
         end
 
         it "has a run_list and cookbook path that will work out of the box" do
-          expect(IO.read(file)).to eq(expected_content)
+          expect(File.read(file)).to eq(expected_content)
         end
 
       end
@@ -475,8 +475,8 @@ def with_argv(argv)
         end
 
         it "has a default.yml file with template contents" do
-          expect(IO.read(file)).to match(expected_content_header)
-          expect(IO.read(file)).to match(expected_content)
+          expect(File.read(file)).to match(expected_content_header)
+          expect(File.read(file)).to match(expected_content)
         end
 
       end
@@ -507,7 +507,7 @@ def with_argv(argv)
         end
 
         it "pulls deps from metadata" do
-          expect(IO.read(file)).to eq(expected_content)
+          expect(File.read(file)).to eq(expected_content)
         end
 
       end
diff --git a/spec/unit/command/generator_commands/generator_generator_spec.rb b/spec/unit/command/generator_commands/generator_generator_spec.rb
@@ -179,7 +179,7 @@ def actual_files(base_path)
         generator_generator.run
 
         metadata_path = File.join(target_dir, "metadata.rb")
-        metadata_content = IO.read(metadata_path)
+        metadata_content = File.read(metadata_path)
         expected_metadata = <<~METADATA
           name             File.basename(File.dirname(__FILE__))
           description      'Custom code generator cookbook for use with #{ChefCLI::Dist::PRODUCT}'
diff --git a/spec/unit/command/generator_commands/policyfile_spec.rb b/spec/unit/command/generator_commands/policyfile_spec.rb
@@ -174,7 +174,7 @@ def generator_context
       end
 
       it "adds chef_repo as a default source and uses argv for the policy name" do
-        expect(IO.read(expected_policyfile_path)).to eq(expected_policyfile_content)
+        expect(File.read(expected_policyfile_path)).to eq(expected_policyfile_content)
       end
 
     end
@@ -200,7 +200,7 @@ def generator_context
       end
 
       it "adds chef_repo as a default source" do
-        expect(IO.read(expected_policyfile_path)).to eq(expected_policyfile_content)
+        expect(File.read(expected_policyfile_path)).to eq(expected_policyfile_content)
       end
 
     end
diff --git a/spec/unit/policyfile/artifactory_cookbook_source_spec.rb b/spec/unit/policyfile/artifactory_cookbook_source_spec.rb
@@ -27,9 +27,9 @@
 
   let(:http_connection) { double("Chef::HTTP::Simple") }
 
-  let(:universe_response_encoded) { IO.read(File.join(fixtures_path, "cookbooks_api/small_universe.json")) }
+  let(:universe_response_encoded) { File.read(File.join(fixtures_path, "cookbooks_api/small_universe.json")) }
 
-  let(:pruned_universe) { JSON.parse(IO.read(File.join(fixtures_path, "cookbooks_api/pruned_small_universe.json"))) }
+  let(:pruned_universe) { JSON.parse(File.read(File.join(fixtures_path, "cookbooks_api/pruned_small_universe.json"))) }
 
   describe "fetching the Universe graph" do
 
diff --git a/spec/unit/policyfile/chef_server_cookbook_source_spec.rb b/spec/unit/policyfile/chef_server_cookbook_source_spec.rb
@@ -25,9 +25,9 @@
 
   let(:http_connection) { double("Chef::ServerAPI") }
 
-  let(:universe_response_encoded) { JSON.parse(IO.read(File.join(fixtures_path, "cookbooks_api/chef_server_universe.json"))) }
+  let(:universe_response_encoded) { JSON.parse(File.read(File.join(fixtures_path, "cookbooks_api/chef_server_universe.json"))) }
 
-  let(:pruned_universe) { JSON.parse(IO.read(File.join(fixtures_path, "cookbooks_api/pruned_chef_server_universe.json"))) }
+  let(:pruned_universe) { JSON.parse(File.read(File.join(fixtures_path, "cookbooks_api/pruned_chef_server_universe.json"))) }
 
   describe "fetching the Universe graph" do
 
diff --git a/spec/unit/policyfile/community_cookbook_source_spec.rb b/spec/unit/policyfile/community_cookbook_source_spec.rb
@@ -26,9 +26,9 @@
 
   let(:http_connection) { double("Chef::HTTP::Simple") }
 
-  let(:universe_response_encoded) { IO.read(File.join(fixtures_path, "cookbooks_api/small_universe.json")) }
+  let(:universe_response_encoded) { File.read(File.join(fixtures_path, "cookbooks_api/small_universe.json")) }
 
-  let(:pruned_universe) { JSON.parse(IO.read(File.join(fixtures_path, "cookbooks_api/pruned_small_universe.json"))) }
+  let(:pruned_universe) { JSON.parse(File.read(File.join(fixtures_path, "cookbooks_api/pruned_small_universe.json"))) }
 
   it "defaults to using the public supermarket over HTTPS" do
     expect(cookbook_source.uri).to eq(default_community_uri)
diff --git a/spec/unit/policyfile/delivery_supermarket_source_spec.rb b/spec/unit/policyfile/delivery_supermarket_source_spec.rb
@@ -26,7 +26,7 @@
 
   let(:http_connection) { double("Chef::HTTP::Simple") }
 
-  let(:universe_response_encoded) { IO.read(File.join(fixtures_path, "cookbooks_api/small_universe.json")) }
+  let(:universe_response_encoded) { File.read(File.join(fixtures_path, "cookbooks_api/small_universe.json")) }
 
   let(:truncated_universe) do
     {
diff --git a/spec/unit/policyfile/undo_stack_spec.rb b/spec/unit/policyfile/undo_stack_spec.rb
@@ -97,7 +97,7 @@ def undo_stack_files
       it "creates the undo record" do
         expect(undo_stack_files.size).to eq(1)
 
-        undo_record_json = IO.read(undo_stack_files.first)
+        undo_record_json = File.read(undo_stack_files.first)
         undo_record_data = FFI_Yajl::Parser.parse(undo_record_json)
         expect(undo_record_data).to eq(undo_record.for_serialization)
       end
diff --git a/spec/unit/policyfile_lock_build_spec.rb b/spec/unit/policyfile_lock_build_spec.rb
@@ -867,6 +867,24 @@ def expect_hash_equal(actual, expected)
 
   end
 
+  context "with invalid run list items" do
+    it "detects invalid format in run list items with extra colons" do
+      expect("recipe[cookbook:default::invalid]").not_to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+
+    it "detects invalid format when a run list item has no cookbook name" do
+      expect("recipe[::recipe_name]").not_to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+
+    it "detects invalid format when a run list item has no recipe name" do
+      expect("recipe[cookbook::]").not_to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+
+    it "validates proper recipe format correctly" do
+      expect("recipe[cookbook::recipe_name]").to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+  end
+
   describe "building a policyfile lock from a policyfile compiler" do
 
     include_context "setup git cookbooks"
diff --git a/spec/unit/policyfile_lock_validation_spec.rb b/spec/unit/policyfile_lock_validation_spec.rb
@@ -124,7 +124,7 @@ def ensure_metadata_as_expected!
         version          '2.3.4'
 
       E
-      expect(IO.read(metadata_path)).to eq(expected_metadata_rb)
+      expect(File.read(metadata_path)).to eq(expected_metadata_rb)
     end
 
     context "when the cookbook is missing" do
@@ -551,7 +551,7 @@ def ensure_metadata_as_expected!
         version          '1.0.0'
 
       E
-      expect(IO.read(metadata_path)).to eq(expected_metadata_rb)
+      expect(File.read(metadata_path)).to eq(expected_metadata_rb)
     end
 
     context "when the cookbook missing" do
diff --git a/spec/unit/policyfile_services/export_repo_spec.rb b/spec/unit/policyfile_services/export_repo_spec.rb
@@ -239,19 +239,19 @@
           # shell out to git for the version number, etc.
           it "writes metadata.json in the exported cookbook, removing metadata.rb" do
             metadata_json_path = File.join(exported_cookbook_root, "metadata.json")
-            metadata_json = FFI_Yajl::Parser.parse(IO.read(metadata_json_path))
+            metadata_json = FFI_Yajl::Parser.parse(File.read(metadata_json_path))
             expect(metadata_json["version"]).to eq("2.3.4")
           end
 
           it "copies the policyfile lock to policies/POLICY_NAME.json" do
             exported_policy_path = File.join(export_dir, "policies", "install-example-#{revision_id}.json")
-            exported_policy_json = IO.read(exported_policy_path)
+            exported_policy_json = File.read(exported_policy_path)
             expect(exported_policy_json).to eq(FFI_Yajl::Encoder.encode(export_service.policyfile_lock.to_lock, pretty: true))
           end
 
           it "creates a policy_group file for the local policy group with the revision id of the exported policy" do
             exported_policy_group_path = File.join(export_dir, "policy_groups", "local.json")
-            exported_policy_group_data = FFI_Yajl::Parser.parse(IO.read(exported_policy_group_path))
+            exported_policy_group_data = FFI_Yajl::Parser.parse(File.read(exported_policy_group_path))
 
             expected_data = { "policies" => { "install-example" => { "revision_id" => revision_id } } }
 
@@ -260,7 +260,7 @@
 
           it "copies the policyfile lock in standard format to Policyfile.lock.json" do
             policyfile_lock_path = File.join(export_dir, "Policyfile.lock.json")
-            policyfile_lock_data = FFI_Yajl::Parser.parse(IO.read(policyfile_lock_path))
+            policyfile_lock_data = FFI_Yajl::Parser.parse(File.read(policyfile_lock_path))
             expected_lock_data = export_service.policyfile_lock.to_lock
 
             # stringify keys in source_options
@@ -301,7 +301,7 @@
             CONFIG
             config_path = File.join(export_dir, ".chef", "config.rb")
             expect(File).to exist(config_path)
-            expect(IO.read(config_path)).to eq(expected_config_text)
+            expect(File.read(config_path)).to eq(expected_config_text)
           end
 
           it "generates a README.md in the exported repo" do
@@ -313,7 +313,7 @@
             let(:policy_group) { "production" }
             it "creates a policy_group file for a specified policy group with the revision id of the exported policy" do
               exported_policy_group_path = File.join(export_dir, "policy_groups", "production.json")
-              exported_policy_group_data = FFI_Yajl::Parser.parse(IO.read(exported_policy_group_path))
+              exported_policy_group_data = FFI_Yajl::Parser.parse(File.read(exported_policy_group_path))
 
               expected_data = { "policies" => { "install-example" => { "revision_id" => revision_id } } }
 
@@ -351,7 +351,7 @@
               CONFIG
               config_path = File.join(export_dir, ".chef", "config.rb")
               expect(File).to exist(config_path)
-              expect(IO.read(config_path)).to eq(expected_config_text)
+              expect(File.read(config_path)).to eq(expected_config_text)
             end
           end
 
diff --git a/spec/unit/policyfile_services/install_spec.rb b/spec/unit/policyfile_services/install_spec.rb
@@ -68,7 +68,7 @@
 
   def result_policyfile_lock
     expect(File).to exist(policyfile_lock_path)
-    content = IO.read(policyfile_lock_path)
+    content = File.read(policyfile_lock_path)
     lock_data = FFI_Yajl::Parser.parse(content)
     ChefCLI::PolicyfileLock.new(storage_config).build_from_lock_data(lock_data)
   end
diff --git a/spec/unit/policyfile_services/update_attributes_spec.rb b/spec/unit/policyfile_services/update_attributes_spec.rb
@@ -151,7 +151,7 @@
 
     def result_policyfile_lock_data
       expect(File).to exist(policyfile_lock_path)
-      content = IO.read(policyfile_lock_path)
+      content = File.read(policyfile_lock_path)
       FFI_Yajl::Parser.parse(content)
     end
 
