First, a link to the line of code in question:
https://github.com/apache/whimsy/blob/9b1bd40e277969936f7b8138efb70b0ef28416f6/www/roster/views/committers.html.rb#L28
Questions: is this still necessary, or is is moot given the direction to
make ICLAs private? If necessary, can it be done via an @variable
rather than backtics?
---
Background. Prior to Ruby 2.7, with $SAFE and taint support, one could
detect whether a given string contained unverified user input. Starting
with Ruby 2.7, this became impossible.
Ruby2JS has the ability to evaluate an arbitrary string in the host
context, which could be very unsafe (consider "system rm -rf /"). I
made a change to only allow this if a binding is specified as an option
(not recommended, but possible).
https://github.com/ruby2js/ruby2js/commit/704f1a5c20485414f1831938b0a4364a83fa1538
I did this only after scanning all of the whimsy .js.rb files. What I
missed is that this was used in an html file with an embedded script.
If this is still necessary, I would recommend it be done by evaluating a
host instance variable (@ivar) rather than evaluating an arbitrary
method call.
---
Footnote: if you view source on
https://whimsy.apache.org/roster/committee/whimsy and scroll to the
bottom, you can see instance variables expanded (you will see, for
example, auth with your id).
If, however, you view source on
https://whimsy.apache.org/roster/committer/, you will see icla path
evaluated, but will not see that notinavail expanded (instead you will
see this._notinavail, i.e., evaluation of an instance variable inside of
a JavaScript class). I'm not sure yet what is going on here.
- Sam Ruby
