fix(templates): disable use of jsonnet with /api/v2/templates/apply
#23030
Conversation
williamhbaker
changed the title
/api/v2/templates/apply
williamhbaker
force-pushed
the
wb-templates-apply-jsonnet-fix
branch
from
cf9d14c
to
edd5fdc
Compare
|
|
||
| for _, rem := range remotes { | ||
| // While things like '.%6Aonnet' evaluate to the default encoding (yaml), let's unescape and catch those too | ||
| decoded, err := url.QueryUnescape(rem) |
There was a problem hiding this comment.
We don't want to return the error here?
There was a problem hiding this comment.
Or does that let too much security information escape?
There was a problem hiding this comment.
There may be some security concern, although there shouldn't be much of an issue since our api.Err(...) methods return sanitized errors to clients. Mostly I am keeping these consistent with the IDPE error messages.
There was a problem hiding this comment.
Hmm, I see @jdstrand has already merged the code in IDPE, so probably we shouldn't become incompatible.
There was a problem hiding this comment.
If you're referring to the specific error from url.QueryUnescape() instead of a generic error, I erred on the side of caution since I felt legitimate use of the API should not be causing this error and so giving the attacker a generic error was fine. If we find this to be problematic in practice, we can return a more specific error.
Disables server-side jsonnet processing to eliminate potential issues with the
go-jsonnetimplementation.