allow-tools should default to false #1940
Comments
|
This seems like a reasonable change to me. I believe that @gspencergoog added this feature; pinging him for an opinion - |
|
No, it was @jcollins-g that added the flag, but I reviewed the PR. It's not exactly "arbitrary code" though: you have to run Dartdoc with a configuration file that includes the path to the executable you want to run, and it will only run tools configured in the configuration file. The "name" of the tool to run is a key into this configuration file, not a path to (or even necessarily the name of) an executable. We could make it default to false, but that doesn't actually give you any more security: the same configuration file could be used to set it to true, and also set the executable path. |
|
If you download a third-party package and run dartdoc on it, the dartdoc_options.yaml file of that library is used? But the second point is really good. Changing the default is not enough (cc @jonasfj @isoos ) - it is (IMO) questionable if we should allow enabling this from the dartdoc_options file itself. |
|
How about if we make it such that allow-tools cannot be configured from the dartdoc_options file. allow-tools defaults to false and the only way to run it on is to explicitly pass it in on command line. This will be a breaking change. @jonasfj @isoos are there other packages apart from flutter using this? Do we know? |
|
I'm not familiar with all users of dartdoc... Maybe the dart-sdk uses it, athom might know if the Dart release process uses it. We obviously don't use it on pub.dev :) |
|
The SDK does not use it. if pub.dev does not use it, then it's just flutter. |
I think that having dartdoc run arbitrary code on a default invocation is risky and for me seems like a surprising behavior.
I suggest to change the default here:
dartdoc/lib/src/dartdoc_options.dart
Line 1380 in 5a4308d
The text was updated successfully, but these errors were encountered: