Describe the bug
While building the security.json policy file, users can input any arbitrary value for 'input sections' and these will be added to the policy file. This is dangerous because this could lead to remote code execution which would be bad for a security product to do.
To Reproduce
Steps to reproduce the behavior:
From command line => _spartan init
In any input field type function (){ return console.log("Add this arbitrary input to the policy");}
At the confirmation screen, type 'Yes'
See policy
Expected behavior
The policy file is meant to be flat values only...no functions or executable code allowed. Need to have some kind of validation regex which can detect/kickback unacceptable values; Also since users have the ability to overload security.json on their own, it would be good if the values were validated prior to doing any work involving security.json
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Describe the bug While building the security.json policy file, users can input any arbitrary value for 'input sections' and these will be added to the policy file. This is dangerous because this could lead to remote code execution which would be bad for a security product to do.
To Reproduce Steps to reproduce the behavior:
_spartan init
function (){ return console.log("Add this arbitrary input to the policy");}
Expected behavior The policy file is meant to be flat values only...no functions or executable code allowed. Need to have some kind of validation regex which can detect/kickback unacceptable values; Also since users have the ability to overload security.json on their own, it would be good if the values were validated prior to doing any work involving security.json
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.