This repository contains a custom check for puppet-lint, used to identify unsafe interpolations within Puppet manifests, specifically within exec resource blocks. The check focuses on ensuring that dynamic expressions, particularly those that could introduce security vulnerabilities, are flagged and reviewed.
- Exec Resource Gathering: Collects all
execresources from the Puppet manifest for further analysis. - Title Safety Check: Iterates over titles of
execresources, checking for variables that might be interpolated unsafely. - Parameter Inspection: Examines the
command,onlyif, andunlessparameters of eachexecresource, looking for patterns that suggest unsafe interpolations.
This plugin is designed to flag potentially unsafe interpolations within exec resource blocks in Puppet manifests. However, in its current state, when it identifies a problem, it may inadvertently cause your CI/CD pipelines to fail. If you use this plugin, it is recommended to review and address flagged issues promptly. Use this plugin under your own risk!
It is also possible to prevent pipeline failures by explicitly disabling PuppetLint.configuration.fail_on_warnings in your Lint configuration file. However, keep in mind that this will disable failures
for all Lint checks and could potentially result in Lint issues being overlooked in the long run.
To implement this check, simply add the following line in your Gemfile and run bundle install:
gem 'puppet-lint-check_unsafe_interpolations'If you run into an issue with this tool or would like to request a feature you can raise a PR with your suggested changes. Alternatively, you can raise a Github issue with a feature request or to report any bugs. Every other Tuesday the DevX team holds office hours in the Puppet Community Slack, where you can ask questions about this and any other supported tools. This session runs at 15:00 (GMT) for about an hour.