Closed frankier closed 10 months ago
I agree on your idea. But, I want to not only remove the distinction between two init arguments, but also change the way to execute the codes. Like jinja2, OteraEngine should guarantees that codes will executed inside of sandbox which means that executed on the child process.
After this change is applied, the fatal bug about set
statement and the distinction is also solved. Then, you’ll be able to pass the arbitrary Julia variables into template.
As far as I understand, Jinja does not use a child process -- and I cannot see a need to for Otera to either. In fact, depending on how stuff is passed to subprocesseses, this opens things up to shell injection attacks --- I think Otera's current HEAD may indeed have such a vulnerability here. In addition, spawning a bunch of subprocesses is not great for performance.
Jinja does two things that might be related to sandboxing:
I think, if eval(...)
is used instead of exec
, this might allow arbitrary Julia variables, and to have only tmp_init
.
You are right. Now I understand the weak points of using child process.
I'll try implementing the tmp code execution with eval(...)
.
Now, new version 0.4.0 is released, and you can pass arbitrary Julia values into init
.
Please check docs and release note for details.
Great thanks! I'll check it out!
At the moment only strings and numbers can be passed into a template since they are interpolated into a string which is then run using "eval(...)". Would it be possible to pass in arbitrary values including, e.g. functions? The mechanism that
tmp_init
uses, where a function is generated and then arguments are passed to it seems suitable. Perhaps this could be used, and then the distinction betweentmp_init
andjl_init
could be removed, i.e. all variables in a single namespace?