Open pingiun opened 3 years ago
verdverm
commented
3 years ago Generally speaking, CUE is hermetic and free of side effects. There is the scripting layer, where you can import from the tool/* packages in the stdlib, but these are only allowed in files with the _tool.cue suffix. These files would also need to be "run" specifically. If this is not the case, I suspect you are OK.
antong
commented
3 years ago Note that current CUE versions are susceptible to resource exhaustion attacks like the Billion Laughs attack: #158.
pingiun
commented
3 years ago This is good to hear, it would be nice to have the considerations in the docs somewhere
verdverm
commented
3 years ago From https://cuelang.org/docs/usecases/configuration/#tooling
inject environmental data into configuration, something not allowed in CUE itself (it is pure, or hermetic, or side-effect free)
I agree that this might be called out earlier, perhaps here: https://cuelang.org/docs/about/#separate-configuration-from-computation
myitcv
commented
3 years ago @pingiun as @verdverm indicated above, there are two "modes" to consider here. Regular CUE evaluation is entirely free from side effects. The tooling layer is by design intended to allow side effects because regular evaluation does not (you can view this layer as a scripting-like wrapper around the evaluation layer). As such, I'm not clear what the feature being requested here is. Other than perhaps clarifying those points in the documentation?
pingiun
commented
3 years ago As such, I'm not clear what the feature being requested here is. Other than perhaps clarifying those points in the documentation?
I'm not sure where it's currenly documented that only files with the _tool.cue suffix could execute side effects. I hadn't found it after browsing around and reading the tutorial. It might be nice to make it clearer somewhere
Is your feature request related to a problem? Please describe.
I would like to use CUE in a context where users are partially trusted.
Describe the solution you'd like
A command line flag that disallows loading modules that do web requests for example.
Describe alternatives you've considered
Filtering CUE files before evaluating them, but this seems error-prone or loading JSON and only using CUE for validating. I would like to allow my users to write CUE though because it allows for some nice shorthand. I've also considered using WASM CUE to convert CUE to JSON on the client side and upload it to the server, but this loses the nice validation.