CONT-234 Create MVP

This PR is an MVP and gets the current minimal set of tests passing.

- modified Craig's tests to include a test for no problems
- added a check which gets the tests passing. ie the check:
  - identifies exec resources
  - then it identifies any commands (command, onlyif and unless) in the exec
  - it parses the command statement and checks for any input variables
  - if so it raises an warning
- removed dependabot for now

TODO:
- this is an MVP so more functionality needs to be added on top
- will add extra checks on commands for various instances of unsanitised input

Author: GSPatton

.github/dependabot.yml

@@ -5,6 +5,8 @@ RSpec::Core::RakeTask.new(:spec) do |t|
   t.exclude_pattern = "spec/acceptance/**/*.rb"
 end
 
+task default: :spec
+
 begin
   require 'github_changelog_generator/task'
 

Rakefile

@@ -0,0 +1,46 @@
+PuppetLint.new_check(:check_unsafe_interpolations) do
+  COMMANDS = Set['command', 'onlyif', 'unless']
+  def check
+    exec = false
+
+    # Look for exec blocks
+    tokens.select { |token| check_exec?(token) }.each do |token|
+      exec = true
+    end
+
+    # Look for commands in exec blocks
+    tokens.select { |token| exec && check_command?(token) }.each do |token|
+      
+      # Loop over exec command to find command statement
+      while token.type != :NEWLINE
+
+        # Check if command contains an input variable
+        if token.type == :VARIABLE
+
+          # Raise warning since input variable is unsanitised
+          warning_message = "unsafe interpolation of variable '#{token.value}' in exec command"
+          notify_warning(token, warning_message)
+          break
+        end
+
+        token = token.next_token
+      end
+    end
+  end
+
+  def check_exec?(token)
+    return true if token.value == 'exec'
+    return false
+  end
+
+  def check_command?(token)
+    return true if COMMANDS.include?(token.value)
+    return false
+  end
+
+  def notify_warning(token, message)
+    notify :warning, message: message,
+                     line: token.line,
+                     column: token.column
+  end
+end

lib/puppet-lint/plugins/check_unsafe_interpolations.rb

@@ -1,20 +1,46 @@
 require 'spec_helper'
 
 describe 'check_unsafe_interpolations' do
-  let(:code) do
-    <<-PUPPET
-    class foo {
+  let(:msg){ "unsafe interpolation of variable 'foo' in exec command" }
+  context 'with fix disabled' do
+    context 'code with unsafe interpolation' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
 
-      exec { 'bar':
-        command => "echo ${foo}",
-      }
+          exec { 'bar':
+            command => "echo ${foo}",
+          }
 
-    }
-    PUPPET
-  end
+        }
+        PUPPET
+      end
+
+      it 'detects an unsafe exec command argument' do
+        expect(problems).to have(1).problems
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg)
+      end
+    end
+
+    context 'code with no problems' do
+      let(:code) do
+        <<-PUPPET
+        class foo {
+
+          exec { 'bar':
+            command => "echo foo",
+          }
+
+        }
+        PUPPET
+      end
 
-  it 'detects an unsafe exec command argument' do
-    expect(problems).to have(1).problem
-    expect(problems).to contain_warning("unsafe interpolation of variable 'foo' in exec command")
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
   end
 end