Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security considerations #176

Closed
RafaeLeal opened this issue Jun 8, 2022 · 1 comment
Closed

Security considerations #176

RafaeLeal opened this issue Jun 8, 2022 · 1 comment

Comments

@RafaeLeal
Copy link

I'm considering using gojq as a library, allowing users to transform data with it. I'm trying to understand the security implications, so I searched first at jq and found this issue, and I'm thinking about how this translate to gojq, especially things like include and import to read arbitrary files, can we disable those while using it as a library?

@itchyny
Copy link
Owner

itchyny commented Jun 8, 2022

When using gojq library, modules are disabled by default. Use gojq.WithModuleLoader to enable include and import. Also, accessing environment variables (env, $ENV) yields empty object. Use gojq.WithEnvironLoader to customize the variable. Note that jq language is Turing-complete, user can submit something like repeat(0), range(infinite), and def f: f; f. Use code.RunWithContext to limit the execution time.

@itchyny itchyny closed this as completed Jun 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants