-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 23-05-25 11:45:45, Demi Marie Obenour wrote: > On Thu, May 25, 2023 at 10:54:48AM +0000, Ben Grande wrote: > > On 23-05-24 14:57:12, Demi Marie Obenour wrote: > > > On Wed, May 24, 2023 at 11:53:51AM +0000, Ben Grande wrote: > > > > Can you please point to the dynamically generated regular expression? > > My understanding is that dynamically generated regular expressions > > requires the execute command: > > https://github.com/vim/vim/blob/master/runtime/syntax/yaml.vim#L146 > > =~ interprets its RHS as a regular expression, so any VimScript that > uses =~ with a non-constant RHS needs to ensure that the RHS is not > controlled by an attacker. In your case it appears that e.g. > subscripting and stridx() would be better.
Fixed on 9676d46. Let me know if that is what you wanted and if there is any remaining security concerns. The remaining '=~' are only used for values already know to us, so not an untrusted input. > > On the code completion case, it is dynamically generated, so we might > > need to do something here. I don't know the risk of inserting text that > > is already on the file to the completion list and then accepted by the > > user. What would be a good filtering method? Block characters that are > > not allowed by Qrexec? Chars outside of the range: [A-Za-z0-9_+*.=-] > > Currently not implemented. > > I would go with the former. I did go with both. First it blocks any character that the parse would not like in general. Second, for every field, there is a know character range for it so that is also used. > > > > Spell checking > > > > -------------- > > > > If you set 'spell', you will benefit by using the plugin spell file as a > > > > secondary good word list, after your primary language. It helps to > > > > reduce the number of false positives spelling errors. > > > > > > Is this handled automatically? > > > > No. > > [REDACTED] > > > > The 'spellfile' is the user good words list. We should not modify it. > > But perhaps we can enable 'spell' and set 'spelllang' to US English. > > I’ll leave this to the other Qubes developers. As from my previous mail before your reply, spell is enabled an spelllang has the value 'en_us' appended to it, so not overwriting user spelling language but allowing user's custom language to exist without having to use autocommands. The only downside is if some Qubes developer writes his comments in Polish or any other language when testing and doesn't notice that when shipping the policy, in that case, overriding user defaults would be the best solution. > > > > Questions > > > > ========= > > > > I have a few questions, if you would be kind to answer them: > > > > > > > > 1 - Would QubesOS Team package the vimfiles to for Dom0 and DomUs? > > > > Only Dom0 can lint, as it requires the qubes-qrexec-dom0 to be > > > > installed, but DomUs can greatly benefit from this plugin by using > > > > all of the rest it offers, syntax highlighting, code completion, > > > > spell check. > > > > > > Personally I don’t see any reason not to ship them. What would be > > > needed to support linting outside of dom0? > > > > If the parser can be packaged to DomUs, that would make linting policies > > from any qube possible. These are the dependencies I mapped: > > > > qrexec > > __init__ > > exc > > utils > > policy.parser > > > > See the imports at: > > https://codeberg.org/ben.grande.b/qubes-tools/src/branch/main/qubes-policy-lint > > That should definitely be doable. Should I open another thread so this doesn't get lost as it is not solely related to Vim? I didn't try building qubes-core-qrexec yet so I am not near of implementing this, if someone steps up, I'd be grateful, else, I might take some time to do this. Seems like I need to modify the Makefile and the setup.py script, but they were made to include all files in the tools directory and I am unsure it will be easy to set it to only some specific files. > > > > 1.1 - Is VimScript a barrier for inclusion as it greatly decreases the > > > > chances of someone reviewing it? Total lines of code excluding > > > > comments, empty lines or lines that multi-lines: 957, as of > > > > 2023-04-15, first draft of this e-mail. > > > > > > I am not personally proficient in VimScript, but IIUC syntax files are > > > largely declarative, which should help. > > > > Great. The most complicated is the code completion at > > autoload/qrexeccomplete.vim. > > Yeah, that’s where I saw the dynamically generated regexps. Fixed on 9676d46. - -- Benjamin Grande -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZG/ew18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5 NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW hz2NAQDa9pEjA67T4QQbXRwLPyfxNOm51CYcOZ5380/2+PJDrAD/fIxOk6El2S2J 5a2/ZLsflYNa6fP9FbD1lzTIQPBgCA0= =E7I8 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZG/ew%2Bib%2BmptpptQ%40personal-mutt.
