In the mapping files (see for example this test mapping file, it is possible to specify a custom mapping or filter function (see this example).
Since this custom function may be any function from the power-grid-model-io, be provided by the user, or even be provided by a third-party, it is a good idea to treat this functionality with care. To help users with this, better documentation is needed that explains:
[ ] we use the PyYAML yaml.safe_load functionality to make sure that the configuration file is loaded in a way that no malicious code injection happens during the loading step.
which would in normal operation be provided directly as normal_code, but in addition to that, also has the malicious_code as a side effect.
[ ] in a production environment, the configuration file should be treated similar to how Python source files are treated. I.e., it should have similar file permissions, or at the very least only be allowed to be changed by users/services with the correct privileges.
mgovers
commented
1 month ago
Describe the feature request
In the mapping files (see for example this test mapping file, it is possible to specify a custom mapping or filter function (see this example).
Since this custom function may be any function from the
power-grid-model-io, be provided by the user, or even be provided by a third-party, it is a good idea to treat this functionality with care. To help users with this, better documentation is needed that explains:yaml.safe_loadfunctionality to make sure that the configuration file is loaded in a way that no malicious code injection happens during the loading step.eval-like functionalitybuiltins; orimport_module.maxandnumpy.maxare importable, butnp.maxis not.which would in normal operation be provided directly as
normal_code, but in addition to that, also has themalicious_codeas a side effect.