Viqsi
commented
9 months ago It doesn't fully dodge injection concerns because the schema doesn't define, for example, valid variable names. But that's something we can check in-proc.
Closed Viqsi closed 6 months ago
Viqsi
commented
9 months ago It doesn't fully dodge injection concerns because the schema doesn't define, for example, valid variable names. But that's something we can check in-proc.
We presently have a schema doc for the entire client request, but that can be pared down to the value definitions (which are the part that the procs should be poking at anyways). It would be a Very Good Idea to verify any input against such a schema when we receive it; between that and adding the JSON doc as a parameter rather than via interpolation, that should dodge any injection concerns as noted in #85.
There's other cleanup work I want to do with custom variables first (for example, get those procs away from messing with the whole document) but after that this would be a very good thing to do.