-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix gemspec sanitization bug when heredoc has methods chained onto it #3220
Fix gemspec sanitization bug when heredoc has methods chained onto it #3220
Conversation
Given a gemspec like this: Spec.new do |s| s.version = "0.1.0" s.post_install_message = <<~DESCRIPTION.strip.downcase My description DESCRIPTION end The sanitized output should look like this: Spec.new do |s| s.version = "0.1.0" "sanitized" end But it actually looks like this: Spec.new do |s| s.version = "0.1.0" "sanitized" My description DESCRIPTION end I'll look into a fix for this bug in a follow-up commit.
Looks like this is where we try and do the sanitisation: https://github.com/dependabot/dependabot-core/blob/main/bundler/lib/dependabot/bundler/file_updater/gemspec_sanitizer.rb#L237-L242 haven't worked on this code but would be up for spending a short block on trying to fix it. |
Co-authored-by: Philip Harrison <[email protected]>
def find_heredoc_end_range(node) | ||
return unless node.is_a?(Parser::AST::Node) | ||
|
||
node.children.each do |child| | ||
next unless child.is_a?(Parser::AST::Node) | ||
|
||
return child.location.heredoc_end if child.location.respond_to?(:heredoc_end) | ||
|
||
range = find_heredoc_end_range(child) | ||
return range if range | ||
end | ||
|
||
nil | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We (@feelepxyz and I) suspect that there's a more readable way to implement this. We explored a few options, but the other options were a bit harder to follow in our opinion. So, if you have ideas for an alternative implementation that would be easier to read/maintain, definitely let us know. 🙇
Just merged #3229 👌
…On Thu, 4 Mar 2021 at 18:07, Jason Rudolph ***@***.***> wrote:
The npm_and_yarn CI job is failing due to a flaky test. That flaky test is
fixed in #3229 <#3229>.
Once #3229 <#3229> is
merged, I'll merge main into this branch, and that should give us a green
build.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3220 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAE5RPBL55W6UFK6VXY42DTB7D7ZANCNFSM4YPT2FFA>
.
|
…specs-with-heredocs-with-method-chains
When dependabot is processing a gemspec, it performs some sanitization of the gemspec's content. In most situations, it handles a heredoc by replacing the heredoc's content as seen in this test.
Given a gemspec like this:
The sanitized output should look like this:
That's the current behavior, and it meets our needs. However, if the heredoc has methods chained onto it, the sanitzation currently produces invalid Ruby code.
Given a gemspec like this:
We should get the same sanitized output that we got in the previous example, but we currently get the following output instead:
Later on in the dependabot-core workflow, when we ask bundler to evaluate the sanitized gemspec, it fails with a parser error because the output above is invalid Ruby code.
TODO