On Tue, 29 Dec 2020 at 19:37, Sam Ruby <ru...@intertwingly.net> wrote: > > First, a link to the line of code in question: > > https://github.com/apache/whimsy/blob/9b1bd40e277969936f7b8138efb70b0ef28416f6/www/roster/views/committers.html.rb#L28 > > Questions: is this still necessary, or is is moot given the direction to > make ICLAs private?
The code can/will probably be removed, but in any case ruby2js ideally should not crash. > If necessary, can it be done via an @variable > rather than backtics? > > --- > > Background. Prior to Ruby 2.7, with $SAFE and taint support, one could > detect whether a given string contained unverified user input. Starting > with Ruby 2.7, this became impossible. > > Ruby2JS has the ability to evaluate an arbitrary string in the host > context, which could be very unsafe (consider "system rm -rf /"). I > made a change to only allow this if a binding is specified as an option > (not recommended, but possible). > > https://github.com/ruby2js/ruby2js/commit/704f1a5c20485414f1831938b0a4364a83fa1538 > > I did this only after scanning all of the whimsy .js.rb files. What I > missed is that this was used in an html file with an embedded script. > > If this is still necessary, I would recommend it be done by evaluating a > host instance variable (@ivar) rather than evaluating an arbitrary > method call. > > --- > > Footnote: if you view source on > https://whimsy.apache.org/roster/committee/whimsy and scroll to the > bottom, you can see instance variables expanded (you will see, for > example, auth with your id). > If, however, you view source on > https://whimsy.apache.org/roster/committer/, you will see icla path > evaluated, but will not see that notinavail expanded (instead you will > see this._notinavail, i.e., evaluation of an instance variable inside of > a JavaScript class). I'm not sure yet what is going on here. > > - Sam Ruby >
