search

Shopify / screenshot-glb

A command line utility for taking screenshots of glTF 2.0 Binary 3D model files
121 stars 28 forks source link

Add ability to pass custom attributes to <model-viewer> #55

Closed mikkoh closed 2 years ago

mikkoh commented 2 years ago

Merge after #54

This PR adds the ability to pass in an Object to the htmlTemplate function which will pass custom arguments to the <model-viewer> element.

It should be noted that I prevent the user from passing in arguments that would overwrite the default arguments.

caution-tape-bot[bot] commented 2 years ago

Looks like this PR either modifies or introduces a headless browser. Please ensure that proper care is taken to avoid allowing requests to arbitrary internal services. Failure to do so could result in your service being vulnerable to Server Side Request Forgery (SSRF) attacks.

To prevent this, be sure to allow-list the domains that you intend to be provided to the headless browser. Additionally, a robust network policy can be applied. Here is an example PR for applying such a network policy. Finally, an example of how your headless browser can safely leverage workload identities if need be.

If you have any followup questions about your implementation, please reach out to us in #help-appsec.

If this was a false positive, please click here to open a pre-filled issue.

cc: @Shopify/appsec-breakers