We'd like to make rule files even more pluggable and dynamic. To that end, it would be valuable to have python / javascript scriptability that can execute arbitrary code to decide whether or not a rule should fire. For instance:
pattern-with-guard:
pattern: foo($X)
where-python: "0 <= vars['$X'] <= 100"
Specifically, many of the checks @mschwager wrote in dlint would be good candidates for this pattern. Eg https://github.com/dlint-py/dlint/blob/master/dlint/linters/bad_urllib3_kwarg_use.py could become:
pattern-with-guard:
pattern: urllib3.PoolManager(cert_reqs=$X)
where-python: "vars['$X'] in ['CERT_NONE', 'NONE']"
Ohoho, oh yes!
I can then scratch one of the items in https://returntocorp.quip.com/flmmAhOAzbj9/Pads-long-term-goals
and now we are sensitive to command/eval injection!
(is there a sandbox mode in python like in Perl?)
This is why you use a scripting language for, to script! to leverage eval()! (there is no other use for those languages IMHO :) )
I'd like to throw a suggestion in the ring here... can we point to a separate python file? It would be nice to, e.g., lint that file.
I don't understand what you want nathan. Can you give an example of what you want?
@aryx I think @nbrahms means, a way to say:
pattern-where-python-file-returns-true: pass_me_metavars.py
And then have that python file be invoked with the metavars as CLI arguments and return code being true/false for the filter.
Most helpful comment
This is why you use a scripting language for, to script! to leverage eval()! (there is no other use for those languages IMHO :) )