Skip to content

🚀 Modern Security & Configuration Overhaul#14

Merged
voltechs merged 13 commits intomainfrom
release/v0.4.0
Jul 24, 2025
Merged

🚀 Modern Security & Configuration Overhaul#14
voltechs merged 13 commits intomainfrom
release/v0.4.0

Conversation

@voltechs
Copy link
Member

@voltechs voltechs commented Jul 24, 2025

🚀 Modern Security & Configuration Overhaul

This major release modernizes the rubysu gem with comprehensive security fixes, a flexible configuration system, and enhanced Ruby compatibility.

🔒 Security Improvements

  • Fix command injection vulnerabilities in kill, unlink, and check methods using array-form system calls
  • Secure socket paths using SecureRandom instead of predictable object_id
  • Array-form system calls throughout to prevent shell injection attacks

✨ New Features

Configuration System

  • Global configuration with Sudo.configure block syntax
  • Per-wrapper overrides for all configuration options
  • Hash-like Configuration class with method_missing for clean property access
  • Configurable options: timeout, socket_dir, sudo_askpass, load_gems

Enhanced DSL

  • Sudo.as_root convenience method for simple operations
  • Graphical password prompts via sudo -A and sudo_askpass configuration
  • Flexible timeouts for connection establishment

Ruby Compatibility

  • Ruby 2.7+ support with modern keyword arguments
  • Fixed Bundler marshaling issues in Ruby 3.2+
  • Modernized code following current Ruby best practices

💥 Breaking Changes

  • Minimum Ruby version: 2.7+ (EOL compliance)
  • CI migration: Travis CI → GitHub Actions + Qlty

🔧 Internal Improvements

  • 78% test coverage with comprehensive edge case testing
  • Robust error handling with safe navigation and proper cleanup
  • Modern CI/CD with matrix testing across Ruby 2.7-3.3
  • Code quality integration with Qlty analysis

📚 Documentation

  • Updated README with v0.4.0 feature examples
  • Comprehensive CHANGELOG with emoji categorization
  • Configuration examples for all new features

Usage Examples

Simple DSL

Sudo.as_root(timeout: 30) do |sudo|
  sudo[FileUtils].mkdir_p '/secure/path'
end

Configuration

Sudo.configure do |config|
  config.timeout = 15
  config.sudo_askpass = '/usr/bin/ssh-askpass'
end

Per-wrapper overrides

Sudo::Wrapper.run(load_gems: false, socket_dir: '/var/run') do |sudo|
  sudo[File].write('/etc/config', data)
end

voltechs added 13 commits July 23, 2025 12:27
@voltechs
🧹 Project housekeeping and foundation updates
0ac40f1 
- Update .gitignore for development artifacts
- Add frozen_string_literal pragma to Gemfile for Ruby 2.7+ compatibility
- Update LICENSE copyright to reflect TwilightCoders contributions (2018-2025)
- Modernize gemspec: bump Ruby requirement to 2.7+ and update dev dependencies
@voltechs
🚀 Modernize CI/CD infrastructure
9ea4c19
@voltechs
🚀 Modernize Ruby code for 2.7+ compatibility and fix deprecations
4d07ad2 
- Add frozen_string_literal pragmas for better performance
- Fix deprecated File.exists? usage (replace with File.exist?)
- Add respond_to_missing? for proper method reflection in proxy
- Improve code style: use && instead of 'and', remove redundant returns
- Add proper module documentation and fix method signatures
- Update test expectations for modernized API behavior
@voltechs
✨ Add comprehensive configuration system with flexible inheritance
8774b6b 
- Introduce Sudo::Configuration class with configurable options:
  - timeout, retries, socket_dir, audit_log, sudo_askpass, load_gems
- Add secure socket path generation using SecureRandom
- Implement Configuration.inherit() for per-call overrides
- Update Wrapper.run() to accept any configuration options via **config
- Simplify wrapper constructor to use config object instead of individual parameters
- Enable per-instance configuration overrides for all sudo operations
- Include comprehensive test suite covering all configuration options and edge cases
- Provides foundation for customizable sudo behavior and security improvements
@voltechs
🔒 Use more secure socket_path from Configuration
079004a 
- Replace predictable object_id with SecureRandom.hex(8) for socket paths
- Prevents potential socket path prediction attacks
@voltechs
✨ Use timeout configuration
a06e1e8
@voltechs
🔒 Fix command injection vulnerabilities with secure command infrastru…
01ab4c4 
…cture

- Add command_base() method for consistent secure command building
- Add System.command() method to build secure array-form commands
- Fix command injection in kill, unlink, and check methods using array-form system calls
- Update wrapper spawn to use secure command arrays instead of string interpolation
- Refactor command() and check() to share common base functionality
- Update wrapper to handle environment variables properly
- Eliminate all string interpolation in system calls to prevent injection attacks
@voltechs
✨ Add sudo -A support for graphical password prompts
38c2c4b 
Add SUDO_ASKPASS environment variable and -A flag support to command_base when sudo_askpass is configured, enabling graphical password prompt tools.
@voltechs
🧹 Refactor wrapper methods for better readability and error handling
639e213 
- Add `TypeError` handling to `Process.exists?` for more robust PID checking
- Extract `socket?` method to eliminate code duplication
- Simplify `running?` method with cleaner boolean logic
- Use consistent `socket?` method throughout wrapper
@voltechs
✨ Add Sudo.as_root DSL convenience method
d59faf0 
Provide cleaner, more intuitive API for simple root operations.
Delegates to Wrapper.run but with better semantic naming.
@voltechs
🔧 Add flexible configuration inheritance system
d01ddc0 
- Add load_gems to Configuration class for consistency
- Implement Configuration.inherit() for per-call overrides
- Update Wrapper.run() to accept any configuration options via **config_overrides
- Simplify wrapper constructor to use config object instead of individual parameters
- Enable per-instance configuration: sudo_askpass, timeout, load_gems, etc.
@voltechs
🚀 Fix Ruby 3.2+ compatibility with Bundler marshaling
638d597 
- Update Proxy#loaded_specs to return array of gem names instead of hash
- Avoid marshaling Gem::StubSpecification objects which fail in newer Bundler versions
- Add error handling with fallback to empty array for robust gem loading
- Update corresponding tests to expect array instead of hash
@voltechs
📚 Prepare v0.4.0 release documentation
dcf9c70 
- Add comprehensive CHANGELOG.md with emoji legend and organized release notes
- Update README.md with new v0.4.0 features: configuration system, Sudo.as_root DSL, graphical password prompts, and timeouts
- Document ASK_PATH_CMD constant for convenient askpass program detection
- Fix spelling errors and improve documentation clarity
- Update VERSION constant to 0.4.0 for release
@voltechs voltechs requested a review from gderosa July 24, 2025 01:28
@gderosa
Copy link
Member

gderosa commented Jul 24, 2025
edited
Loading

This look absolutely great. Thanks for running this. Okay to merge imho.

@voltechs voltechs force-pushed the release/v0.4.0 branch 2 times, most recently from 268c7c5 to dcf9c70 Compare July 24, 2025 17:13
@voltechs voltechs merged commit 9c33cbf into main Jul 24, 2025
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gderosa gderosa gderosa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@voltechs @gderosa