In addition to generation of code via templates, there should also be some system to provide flaskerize with custom Python code to be run. For example, the Angular CLI provides commands like ng-upgrade that enable rules for traversing the project and upgrading files on the fly. This operation obviously transcends simple generation of template files. From the very outset this type of programming has security risk written all over it. If the system relies on something like eval it will provide an easy way for malicious code to be run on the users system by some evildoer.
I'm open to feedback on how best to go about this. One possible solution would be to provide only a fixed number of operations, but that totally defeats the purpose of allowing third-party developers to create flaskerize templates that do whatever they need. In other words, it's too limiting.
If the project were to become popular and there was some sort of open repository of user-contributed templates, then at some critical mass you can rely on the community to vet/upvote legitimate projects, which makes it safer to rely on evaluating arbitrary code. For example, this is how projects work in the Linux world -- the very fact that a package comes from a reputable repository and has been accepted by the community serves as validation.
There may be some ways to sanitize/validate the hooks for malicious code, not sure.
apryor6
commented
5 years ago
In addition to generation of code via templates, there should also be some system to provide
flaskerizewith custom Python code to be run. For example, the Angular CLI provides commands likeng-upgradethat enable rules for traversing the project and upgrading files on the fly. This operation obviously transcends simple generation of template files. From the very outset this type of programming has security risk written all over it. If the system relies on something likeevalit will provide an easy way for malicious code to be run on the users system by some evildoer.I'm open to feedback on how best to go about this. One possible solution would be to provide only a fixed number of operations, but that totally defeats the purpose of allowing third-party developers to create
flaskerizetemplates that do whatever they need. In other words, it's too limiting.If the project were to become popular and there was some sort of open repository of user-contributed templates, then at some critical mass you can rely on the community to vet/upvote legitimate projects, which makes it safer to rely on evaluating arbitrary code. For example, this is how projects work in the Linux world -- the very fact that a package comes from a reputable repository and has been accepted by the community serves as validation.
There may be some ways to sanitize/validate the hooks for malicious code, not sure.