[DOC] Enhanced RDoc for FileUtils #78
Conversation
|
@peterzhu2118, as you see, @jeremyevans and I have been working out the ways for this module's documentation. Eventually I will revisit the first ones I did, in order to make them conformant with the later ones. |
lib/fileutils.rb
Outdated
| @@ -949,13 +951,27 @@ def mv(src, dest, force: nil, noop: nil, verbose: nil, secure: nil) | |||
| alias move mv | |||
| module_function :move | |||
|
|
|||
| # Removes entries at the paths given in array +list+; returns +list+. | |||
There was a problem hiding this comment.
list is not necessarily an array, a string is accepted. However, an array is always return. The sentence should be updated to reflect that. Similar for rm_r.
lib/fileutils.rb
Outdated
| # Remove file(s) specified in +list+. This method cannot remove directories. | ||
| # All StandardErrors are ignored when the :force option is set. | ||
| # - <tt>force: true</tt> - attempts to remove files regardless of permissions; | ||
| # ignores raised exceptions of StandardError and its descendants. |
There was a problem hiding this comment.
The previous description
All StandardErrors are ignored when the :force option is set.
is actually more descriptive of the current behavior. Currently the only difference between force: true and force: false is that force: true makes any StandardErrors while trying to remove files be ignored. But if a file is impossible to remove due to permissions, the removal will be attempted regardless of force, and the files won't get removed regardless of force.
For what it's worth, I think this behaviour is harmful, I opened a ruby-core ticket at https://bugs.ruby-lang.org/issues/18784. But unless the behavior is changed, the documentation should explain the current behavior.
lib/fileutils.rb
Outdated
| # Keyword arguments: | ||
| # | ||
| # - <tt>force: true</tt> - attempts to remove entries regardless of permissions; | ||
| # ignores raised exceptions of StandardError and its descendants. |
There was a problem hiding this comment.
Ditto regarding force.
There was a problem hiding this comment.
It doesn't seem fixed, no? The sentence about permissions is still there. You did remove some stuff regarding force in other methods that take care of moving files, but I'm not sure how force behaves there, so I'm not sure if that's correct or not.
lib/fileutils.rb
Outdated
| # May cause a local vulnerability if not called with keyword argument | ||
| # <tt>secure: true</tt>. |
There was a problem hiding this comment.
Can you add a link to the place that explains this vulnerability?
There was a problem hiding this comment.
I'll be reworking all about secure and vulnerabilities, putting it into the doc for the module, and adding links as needed.
lib/fileutils.rb
Outdated
| # {chown(2)}[https://man7.org/linux/man-pages/man2/chown.2.html] | ||
| # and {chmod(2)}[https://man7.org/linux/man-pages/man2/chmod.2.html] | ||
| # in removing directories. | ||
| # - The owner of +path+ should be either the current proces |
There was a problem hiding this comment.
Typo:
| # - The owner of +path+ should be either the current proces | |
| # - The owner of +path+ should be either the current process |
|
@jeremyevans and @peterzhu2118, I'm thinking that the vulnerability/security business should be explained in the medule header so that all can link to it directly. Also, does this vulnerability exist for methods other than those here in FileUtils? |
|
I'm not opposed to moving the warning to the module documentation and linking to it, but that needs to be done in this PR if you want to do that. I'm not sure if this affects other methods. It should only affect recursive methods if it does. |
Understood and agreed. Will work on it. |
lib/fileutils.rb
Outdated
| # - <tt>force: true</tt> - attempts to remove files regardless of permissions; | ||
| # ignores raised exceptions of StandardError and its descendants. |
There was a problem hiding this comment.
I think it was not too clear what I'm suggesting. It's this:
| # - <tt>force: true</tt> - attempts to remove files regardless of permissions; | |
| # ignores raised exceptions of StandardError and its descendants. | |
| # - <tt>force: true</tt> - ignores raised exceptions of StandardError and its descendants. |
|
@jeremyevans and @peterzhu2118, I'll be reworking all about secure and vulnerabilities, putting it into the doc for the module, and adding links as needed. So review of such text here should be deferred. |
|
@jeremyevans, I only meant that you might like to review the other fixes; but fine, I'll ping you when all's ready. |
|
I have added section "Avoiding the TOCTTOU Vulnerability," which is linked from the relevant methods doc. |
There was a problem hiding this comment.
Only a few small changes requested. I'm OK to merge after the changes are made, but please allow a day or two for @peterzhu2118 and @deivid-rodriguez to review and provide feedback.
lib/fileutils.rb
Outdated
| # if the source and destination are on different devices | ||
| # (which means that the "move" is really a copy and remove): | ||
| # | ||
| # - FileUtils.mv with keyword argument <tt>secure: true</tt>. |
lib/fileutils.rb
Outdated
| # | ||
| # - FileUtils.mv with keyword argument <tt>secure: true</tt>. | ||
| # | ||
| # \Method \FileUtils.remove_entry_secure remove securely |
lib/fileutils.rb
Outdated
| # WARNING: You must ensure that *ALL* parent directories cannot be | ||
| # moved by other untrusted users. For example, parent directories | ||
| # should not be owned by untrusted users, and should not be world | ||
| # writable except when the sticky bit set. |
lib/fileutils.rb
Outdated
| # should not be owned by untrusted users, and should not be world | ||
| # writable except when the sticky bit set. | ||
| # | ||
| # WARNING: Only the owner of the removing directory tree, or Unix super |
There was a problem hiding this comment.
I think this paragraph can be removed, since it's mentioned in the preceding bullet point.
lib/fileutils.rb
Outdated
| @@ -130,9 +130,9 @@ | |||
| # if the source and destination are on different devices | |||
| # (which means that the "move" is really a copy and remove): | |||
| # | |||
| # - FileUtils.mv with keyword argument <tt>secure: true</tt>. | |||
| # - FileUtils.mv `with keyword argument <tt>secure: true</tt>. | |||
There was a problem hiding this comment.
Guessing this backtick is a typo.
|
@deivid-rodriguez, over to you. |
lib/fileutils.rb
Outdated
| # ignores raised exceptions of StandardError and its descendants. | ||
| # Keyword arguments: | ||
| # | ||
| # - <tt>force: true</tt> - ignores raised exceptions of StandardError |
There was a problem hiding this comment.
My understanding of the previous documentation is that in this case, the :force flag only affects cases where copying and then removing the original source is needed, and in this case it would apply to the removal phase only. If this is correct, I think the previous documentation is more accurate, because it doesn't imply that raised exceptions during the copy phase are swallowed.
There was a problem hiding this comment.
What should this say, then?
There was a problem hiding this comment.
I would say what it says now, because I'm not sure whether your change improves things or not. Except thet I'd probably remove the first sentence "attempts to force the move", because in my mind it's quite unclear what that means. So I'd go with:
# - <tt>force: true</tt> - if the move includes removing +src+ (that is, if +src+ and +dest+ are on different devices), ignores raised exceptions of StandardError and its descendants.
|
@jeremyevans I've pinged you once more b/c @deivid-rodriguez requested a change that I've made since you approved. Is this now good to go? |
Treats:
::rm
::rm_f
::rm_r
::rm_rf
::remove_entry_secure
ruby/fileutils@ce2a438d75
Treats: