We persist most of the user posted information as is. While there shouldn't be any SQL (mongodb with very simple queries) injection problems (please prove me wrong!) some data just doesn't make sense in the scope of in-toto.
Therefor we should sanitize/validate user inputs, and give feedback, so that the user can correct the posted data, some examples.:
step and inspection names need to be unique in the supply chain
several suggested cli snippets are generated based on user input, these should actually work, e.g.
in-toto-run commands or inspection commands, ...
lukpueh
commented
7 years ago
We persist most of the user posted information as is. While there shouldn't be any SQL (mongodb with very simple queries) injection problems (please prove me wrong!) some data just doesn't make sense in the scope of in-toto.
Therefor we should sanitize/validate user inputs, and give feedback, so that the user can correct the posted data, some examples.:
in-toto-runcommands or inspection commands, ...