[katello-devel] Translation strings with ruby code
Lukas Zapletal
lzap at redhat.com
Mon May 23 08:25:06 UTC 2011
On 05/20/2011 03:44 PM, jesus m. rodriguez wrote:
> Write a script that pulls out the strings that contain 'ruby code',
> that looks for possible injections. If we want to change that's fine
> with me. I just think that if doing #{foo} is common in ruby strings
> that making folks change is more difficult than automating some
> sort of post processing script to detect possible security
> issues.
>
> If ruby folks don't care about keeping #{} in their strings, then
> change all you want.
It's usually better to deal with cause than consequence. I totally agree
the #{} style is very comfortable for us, but we are discussing
translation strings, not all strings. It's more about translators
confusion than security, I would say.
But I like the idea of the check script. I think the good approach could
be combination of both. I just found the ruby gettext gem supports named
parameters:
print _("Hello World\n")
print _("Hello %{world}\n" % {:world => 'World'})
Therefore we could enforce (with using a grep in po files) to use the
"ruby" style in simple cases (just a variable) and the "percent" style
fore more complex statements. E.g.:
_( "blah blah #{blah}" ) - correct (safe, easy to understand)
_( "blah blah #{function xy, yz}" ) - incorrect (unsafe, unclear)
For the latter one we should be enforced to use:
_( "blah blah %{b}" % { :b => function xy, yz } )
Translators will see only two position-independent variants:
#{variable} or %{variable}
both obviously easy to understand.
I think we should be able to catch these with a simple grep. The only
issue is to keep using the script regularly (maybe through Jerkins).
--
Later,
Lukas Zapletal | E32E400A
RHN Satellite Engineering
Red Hat Czech s.r.o. Brno
More information about the katello-devel
mailing list