globocom / derpconf Goto Github PK

derpconf abstracts loading configuration files for your app.

License: MIT License

Makefile 1.74% Python 98.26%

derpconf's Issues

Don't use exec()

I found this out by reading the source code - apparently a derpconf .conf file is actually a python file, and derpconf reads and executes it.

That's awfully insecure, given that local users might have access to write to the file.

In addition the conf_name and lookup_paths options allow loading the config from a list of paths rather than a well-defined absolute path, meaning that all an attacker has to do is be able to write a file into one of the directories in the list to get arbitrary code execution.

cyclops uses this to load configs from . and ~ if a relative path is specified, which seems like a bad idea.

i'm not 100% sure on how to best solve this, but my 5minute 2-cents-worth: seems like most configs should be securely parseable using a very simple parser (read lines, split on =, then parse expressions using ast.literal_eval() ). This would allow you to support a sane range of python expressions, without allowing arbitrary execution. It makes multi-line expressions a bit tricky though.

python 2 support

Is the python 2 support maintained intentionally? I guess some analogue of ecbf82e could be considered.

Tests fail once in a while even with no changes

I ran make test and it failed, and then I ran it more a couple of times and it succeeded. Shell output follows:

$ make test
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option STORAGE_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option LOADER_ALIAS is marked as deprecated please use LOADER instead.

 ============
 Vows Results
 ============


    Configuration
      When verifying
      ✗ should be lengthy
          Expected topic([('UBERFOO', 'baz'), ('some_key', 'default')]) to have 1 of length, but it has 2

           found in /Users/hugo/projects/derpconf/vows/config_vows.py at line 125

  ✗ OK » 21 honored • 1 broken (0.006755s)

make: *** [test] Error 1

$ make test
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option STORAGE_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option LOADER_ALIAS is marked as deprecated please use LOADER instead.

 ============
 Vows Results
 ============


    Configuration
      When verifying
      ✗ should be lengthy
          Expected topic([('UBERFOO', 'baz'), ('some_key', 'default')]) to have 1 of length, but it has 2

           found in /Users/hugo/projects/derpconf/vows/config_vows.py at line 125

  ✗ OK » 21 honored • 1 broken (0.006917s)

make: *** [test] Error 1

$ make test
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option LOADER_ALIAS is marked as deprecated please use LOADER instead.
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option STORAGE_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.

 ============
 Vows Results
 ============

  ✓ OK » 22 honored • 0 broken (0.006623s)


 =============
 Code Coverage
 =============

 ✗ derpconf/version   0.0%                                                     11
 ✗ derpconf/config    ••••••••••••••••••••••••••••••• 62.6%                    97, 100, 112, and 74 more

 ✗ OVERALL            ••••••••••••••••••••••••••••••• 62.3%

I didn't touch any code, only ran make test multiple times. I am running it on Mac OS X 10.9.1 and Python 2.7.6.

setup.py test should run tests

See heynemann/pyvows#134

Message when configuration not found has thumbor.conf as conf name for everyone

Legacy of having extracted this from thumbor.

Example:

File "/Users/heynemann/.virtualenvs/splitsecond/site-packages/derpconf/config.py", line 154, in validates_presence_of
    raise ConfigurationError('Configuration %s was not found and does not have a default value. Please verify your thumbor.conf file' % arg)
ConfigurationError: Configuration LOADER was not found and does not have a default value. Please verify your thumbor.conf file

Config class vs Config instances

Is it really necessary to configure the Config class rather than creating Config instances?

I can think of scenarios where different libraries use derpconf to setup themselves and one config interferes with the other.

I think that global Config instances are fine, but configuring the Config class itself sounds dangerous. If you have discussed this before, please write me comment with your thoughts on this.

Version 0.8.4 is not in pypi

@marcelometal can you send to pypi this release https://github.com/globocom/derpconf/releases/tag/0.8.4

Overriding array-like configuration using envars

Documentation clearly says it's possible to override options by using envars.

But how bout overriding multi-valued options? Like thumbor ALLOWED_SOURCES

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.