puppet-lint: check unsafe interpolations plugin
This repository contains a custom check for puppet-lint, used to identify unsafe interpolations within Puppet manifests, specifically within exec
resource blocks. The check focuses on ensuring that dynamic expressions, particularly those that could introduce security vulnerabilities, are flagged and reviewed.
How It Works
-
Exec Resource Gathering: Collects all
exec
resources from the Puppet manifest for further analysis. -
Title Safety Check: Iterates over titles of
exec
resources, checking for variables that might be interpolated unsafely. -
Parameter Inspection: Examines the
command
,onlyif
, andunless
parameters of eachexec
resource, looking for patterns that suggest unsafe interpolations.
Warning
This plugin is designed to flag potentially unsafe interpolations within exec
resource blocks in Puppet manifests. However, in its current state, when it identifies a problem, it may inadvertently cause your CI/CD pipelines to fail. If you use this plugin, it is recommended to review and address flagged issues promptly. Use this plugin under your own risk!
It is also possible to prevent pipeline failures by explicitly disabling PuppetLint.configuration.fail_on_warnings
in your Lint configuration file. However, keep in mind that this will disable failures
for all Lint checks and could potentially result in Lint issues being overlooked in the long run.
Usage
To implement this check, simply add the following line in your Gemfile and run bundle install
:
gem 'puppet-lint-check_unsafe_interpolations'
Development
If you run into an issue with this tool or would like to request a feature you can raise a PR with your suggested changes. Alternatively, you can raise a Github issue with a feature request or to report any bugs. Every other Tuesday the DevX team holds office hours in the Puppet Community Slack, where you can ask questions about this and any other supported tools. This session runs at 15:00 (GMT) for about an hour.