You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm considering using gojq as a library, allowing users to transform data with it. I'm trying to understand the security implications, so I searched first at jq and found this issue, and I'm thinking about how this translate to gojq, especially things like include and import to read arbitrary files, can we disable those while using it as a library?
The text was updated successfully, but these errors were encountered:
When using gojq library, modules are disabled by default. Use gojq.WithModuleLoader to enable include and import. Also, accessing environment variables (env, $ENV) yields empty object. Use gojq.WithEnvironLoader to customize the variable. Note that jq language is Turing-complete, user can submit something like repeat(0), range(infinite), and def f: f; f. Use code.RunWithContext to limit the execution time.
I'm considering using gojq as a library, allowing users to transform data with it. I'm trying to understand the security implications, so I searched first at jq and found this issue, and I'm thinking about how this translate to gojq, especially things like
include
andimport
to read arbitrary files, can we disable those while using it as a library?The text was updated successfully, but these errors were encountered: