Expand regexp to only capture nested functions

I _think_ `#sanitized_content` is meant to make a common Elixir pattern safe for parsing (rather, to prevent code execution while we dependency management is being performed). Unfortunately, there are no hints in either Git commit history or in the pull requests that were opened around Elixir package management. The pattern that this is handling (at least in the fixtures in this repo) is the case where there's a top-level file titled VERSION, which is read in in the Mixfile's project metadata. We're handling a couple of cases here: ```elixir String.trim(File.read("VERSION")) # String.trim("0.0.1") String.trim(File.read!("VERSION")) # String.trim({:ok, "0.0.1"}) ``` A lot of Elixir code relies on piping output from one function to another, which can cause the above pattern to read as: ```elixir "VERSION" |> File.read() |> String.trim() "VERSION" |> File.read() |> String.trim() ``` We're not handling these properly, which has led to errors like: ```plaintext (ArgumentError) cannot pipe "VERSION" into "0.0.1", can only pipe (snip) ``` This commit is meant to capture only the former pattern (nested calls), so that we can properly handle the latter in upcoming commits.
dependabot · Nov 23, 2021 · fa48db2 · fa48db2
1 parent 4af1cd4
commit fa48db2
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/hex/lib/dependabot/hex/file_updater/mixfile_sanitizer.rb b/hex/lib/dependabot/hex/file_updater/mixfile_sanitizer.rb
@@ -13,8 +13,8 @@ def initialize(mixfile_content:)
 
         def sanitized_content
           mixfile_content.
-            gsub(/File\.read!\(.*?\)/, '"0.0.1"').
-            gsub(/File\.read\(.*?\)/, '{:ok, "0.0.1"}').
+            gsub(%r{String\.trim\(File\.read!\(.*?\)\)}, 'String.trim("0.0.1")').
+            gsub(%r{String\.trim\(File\.read\(.*?\)\)}, 'String.trim({:ok, "0.0.1"})').
             gsub(/^\s*config_path:.*(?:,|$)/, "")
         end