Remove usage of command string-based exec interfaces. #895
Comments
haxscramper
added a commit
to haxscramper/hmisc
that referenced
this issue
Aug 26, 2021
- https://hookrace.net/blog/nim-code-coverage/ is outdated, `--nimcache:.` is also needed, because `.gcda` files are generated (at least in my case), where binary was compiled, not where it was executed. At least passing this flag solved the issue - Also need to `--remove "<temporary test dir>/*'` from code coverage, idk why. - As expected cove coverage report is awful, makes almost no sense. - Another example why we need adequate code coverage that is aware of the nim semantics. nim-lang/Nim#15827 - `exec` is horrible, nim-lang/nimble#895 is needed. I wanted to break arguments into something more manageable, and ended up with `&"\"{dir}/*\""`. Super nice.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In particular we are looking at
doCmd()family of functions innimble. The use of command strings (strings that are passed verbatim to the shell) is prone to injection bugs (nimble already got hit: https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/, temporary fix available in #894).The alternative API can be something like
runCmd(args: varargs[string])(change the name so that we can audit all current usage ofdoCmd()/doCmdEx()).The text was updated successfully, but these errors were encountered: