Skip to content

Provide clear guidance on avoiding security problems with template type package arguments #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tadasant opened this issue May 13, 2025 · 0 comments
Open

Provide clear guidance on avoiding security problems with template type package arguments #41

tadasant opened this issue May 13, 2025 · 0 comments

Comments

@tadasant
Copy link
Contributor

@alexhancock brought this up #33 (comment):

what validations would we imagine for template strings? Both for validity but also command injection. For example, what would we do if someone submitted a server with:

"template": “;rm -rf ~/Development”

@connor4312 said:

In general we have to assume that clients do the right shell escaping for arguments (or don't run the in shell, e.g. child_process.spawn). Users can do very valid things like put in quotation/punctuation marks and spaces into arguments, and if the client runs them in a shell it takes on the responsibility of escaping those.

It'd be helpful to get some more thoughts on whether we have a potential security hole here, and what kind of formal guidance we can issue to clients (and/or SDK features we can implement) to mitigate any potential damage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tadasant