Remove broken frivolous function from install script #222
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The "template" installation script contained a `get()` function used to make an HTTP request. The response body is required by the caller, but shell functions do not support returning content as you might do when using a more capable programming language. As a workaround, the script author set up a system where the caller passed an arbitrary variable name to the function, which the function then assigns with the response body string. This was done using the `eval` builtin. The `eval` command was quoted in a naive manner, not considering that the body content could contain any arbitrary characters. This made it possible that contents of the response body could be unintentionally executed on the user's machine. In the context of the installation script, this happened under the following conditions: - The release download was not available from Arduino's downloads server - The response body from the Releases GitHub API request contained single quotes The most minimal fix would likely have been to change the `eval` command so that the variable containing the response body text was not expanded in the command: eval "$1=\$GET_BODY" However, this problem has provided clear evidence that best practices are to avoid `eval` altogether unless absolutely necessary. Since it is only called once, the entire function is not necessary (and in fact it is questionable whether there is any real value in the entire GitHub releases fallback system). So I decided the best fix was to do away with the function altogether, replacing its single call with the contents of the former function. This removed unnecessary complexity from the script without any decrease in efficiency or increase in maintenance burden.
per1234
added
type: imperfection
|
I like a lot this change 👍🏼 |
cmaglie
approved these changes
Apr 20, 2022
umbynos
approved these changes
Apr 20, 2022
ubidefeo
reviewed
Apr 21, 2022
There was a problem hiding this comment.
install svcript tested and working correctly on M1 Monterey 12.3
Installing in /Users/ubidefeo/Downloads/bin
ARCH=ARM64
OS=macOS
Using curl as download tool
Downloading https://downloads.arduino.cc/arduino-cli/arduino-cli_0.21.1_macOS_ARM64.tar.gz
macOS ARM64 release not currently available. Checking for alternative macOS 64bit release for your system.
Downloading https://downloads.arduino.cc/arduino-cli/arduino-cli_0.21.1_macOS_64bit.tar.gz
An existing arduino-cli was found at /opt/homebrew/bin/arduino-cli. Please prepend "/Users/ubidefeo/Downloads/bin" to your $PATH or remove the existing one.
arduino-cli Version: 0.21.1 Commit: 9fcbb392 Date: 2022-02-24T15:41:45Z installed successfully in /Users/ubidefeo/Downloads/bin
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The "template" installation script contained a
get()function used to make an HTTP request.The response body is required by the caller, but shell functions do not support returning content as you might do when using a more capable programming language.
As a workaround, the script author set up a system where the caller passed an arbitrary variable name to the function, which the function then assigns with the response body string.
This was done using the
evalbuiltin. Theevalcommand was quoted in a naive manner, not considering that the body content could contain any arbitrary characters. This made it possible that contents of the response body could be unintentionally executed on the user's machine.In the context of the installation script, this happened under the following conditions:
The most minimal fix would likely have been to change the
evalcommand so that the variable containing the response body text was not expanded in the command:However, this problem has provided clear evidence that best practices are to avoid
evalaltogether unless absolutely necessary. Since it is only called once, the entire function is not necessary (and in fact it is questionable whether there is any real value in the entire GitHub releases fallback system). So I decided the best fix was to do away with the function altogether, replacing its single call with the contents of the former function. This removed unnecessary complexity from the script without any decrease in efficiency or increase in maintenance burden.Originally reported at arduino/arduino-cli#1714