Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow formatted strings to all the sources functions that receive a string #159

Open
ifraixedes opened this issue Dec 14, 2022 · 2 comments
Open

Allow formatted strings to all the sources functions that receive a string #159

ifraixedes opened this issue Dec 14, 2022 · 2 comments

Comments

@ifraixedes
Copy link

I wondered if all the source functions that receive a string as a parameter could receive a string format and a variadic string parameters as the fmt standard Go package does.

My use case was the following

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

To do that with script you have to execute each subcommand part and do the string interpolation manually.
NOTE this example doesn't illustrate how to handle errors properly to keep it concise.

arch, err := script.Exec("dpkg --print-architecture").String()
if err != nil {
	log.Fatal(err)
}

versionName, err := script.Exec("lsb_release -cs").String()
if err != nil {
	log.Fatal(err)
}

_, err := exec.Echo(fmt.Sprintf("deb [arch=%s signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian  %s stable", arch, versionName)).Exec("sudo tee /etc/apt/sources.list.d/docker.list").String()
if err != nil {
	log.Fatal(err)
}

If Echo would accept the parameters as fmt.Sprintf then the last line would be:

_, err := exec.Echo("deb [arch=%s signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian  %s stable", arch, versionName).Exec("sudo tee /etc/apt/sources.list.d/docker.list").String()
if err != nil {
	log.Fatal(err)
}

It doesn't reduce that much the code, but I thought that it shouldn't hurt and in the end, the variadic strings are optional.

My use case was for only the Echo function, but I thought that the other source functions could benefit from the same too.
@ifraixedes ifraixedes mentioned this issue Dec 14, 2022
Open
@bitfield
Copy link
Owner

Yes, this is a useful thing to do, but I'm not sure that exec(fmt.Sprintf(...)) isn't exactly the right way to do it!

@ifraixedes
Copy link
Author

ifraixedes commented Dec 15, 2022
edited

I'm sure that from the security point of view is NO unless you can guarantee that the value to interpolate comes from a trusted source.

If I'm doing the fmt.Sprintf right now, I'm already committing sins.

Considering that I'm trying to use script for what I was writing before in shell script, I don't see any harm. Obviously, the coder is at the end, who has to be aware and not open security holes.

Do you think that exec(fmt.Sprintf(...)) isn't exactly the right way to do it because of another point of view ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bitfield @ifraixedes