globocom / derpconf Goto Github PK
View Code? Open in Web Editor NEWderpconf abstracts loading configuration files for your app.
License: MIT License
derpconf abstracts loading configuration files for your app.
License: MIT License
I found this out by reading the source code - apparently a derpconf .conf file is actually a python file, and derpconf reads and executes it.
That's awfully insecure, given that local users might have access to write to the file.
In addition the conf_name
and lookup_paths
options allow loading the config from a list of paths rather than a well-defined absolute path, meaning that all an attacker has to do is be able to write a file into one of the directories in the list to get arbitrary code execution.
cyclops uses this to load configs from .
and ~
if a relative path is specified, which seems like a bad idea.
i'm not 100% sure on how to best solve this, but my 5minute 2-cents-worth: seems like most configs should be securely parseable using a very simple parser (read lines, split on =
, then parse expressions using ast.literal_eval() ). This would allow you to support a sane range of python expressions, without allowing arbitrary execution. It makes multi-line expressions a bit tricky though.
Is the python 2 support maintained intentionally? I guess some analogue of ecbf82e could be considered.
I ran make test
and it failed, and then I ran it more a couple of times and it succeeded. Shell output follows:
$ make test
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option STORAGE_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option LOADER_ALIAS is marked as deprecated please use LOADER instead.
============
Vows Results
============
Configuration
When verifying
✗ should be lengthy
Expected topic([('UBERFOO', 'baz'), ('some_key', 'default')]) to have 1 of length, but it has 2
found in /Users/hugo/projects/derpconf/vows/config_vows.py at line 125
✗ OK » 21 honored • 1 broken (0.006755s)
make: *** [test] Error 1
$ make test
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option STORAGE_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option LOADER_ALIAS is marked as deprecated please use LOADER instead.
============
Vows Results
============
Configuration
When verifying
✗ should be lengthy
Expected topic([('UBERFOO', 'baz'), ('some_key', 'default')]) to have 1 of length, but it has 2
found in /Users/hugo/projects/derpconf/vows/config_vows.py at line 125
✗ OK » 21 honored • 1 broken (0.006917s)
make: *** [test] Error 1
$ make test
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
WARNING:root:Option LOADER_ALIAS is marked as deprecated please use LOADER instead.
WARNING:root:Option STORAGE_ALIAS_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option STORAGE_ALIAS is marked as deprecated please use STORAGE instead.
WARNING:root:Option OTHER_ENGINE is marked as deprecated please use ENGINE instead.
============
Vows Results
============
✓ OK » 22 honored • 0 broken (0.006623s)
=============
Code Coverage
=============
✗ derpconf/version 0.0% 11
✗ derpconf/config ••••••••••••••••••••••••••••••• 62.6% 97, 100, 112, and 74 more
✗ OVERALL ••••••••••••••••••••••••••••••• 62.3%
I didn't touch any code, only ran make test
multiple times. I am running it on Mac OS X 10.9.1 and Python 2.7.6.
Legacy of having extracted this from thumbor.
Example:
File "/Users/heynemann/.virtualenvs/splitsecond/site-packages/derpconf/config.py", line 154, in validates_presence_of
raise ConfigurationError('Configuration %s was not found and does not have a default value. Please verify your thumbor.conf file' % arg)
ConfigurationError: Configuration LOADER was not found and does not have a default value. Please verify your thumbor.conf file
Is it really necessary to configure the Config
class rather than creating Config
instances?
I can think of scenarios where different libraries use derpconf
to setup themselves and one config interferes with the other.
I think that global Config
instances are fine, but configuring the Config
class itself sounds dangerous. If you have discussed this before, please write me comment with your thoughts on this.
@marcelometal can you send to pypi this release https://github.com/globocom/derpconf/releases/tag/0.8.4
Documentation clearly says it's possible to override options by using envars.
But how bout overriding multi-valued options? Like thumbor ALLOWED_SOURCES
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.