Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] need to sanitize plot_indicators.csv$plotting_function_call #33

Open
7yl4r opened this issue Oct 18, 2017 · 0 comments
Open

[security] need to sanitize plot_indicators.csv$plotting_function_call #33

7yl4r opened this issue Oct 18, 2017 · 0 comments
Labels
discussion/question triage:MEH

Comments

@7yl4r
Copy link
Member

7yl4r commented Oct 18, 2017
edited
Loading

The addition of custom plotter functions currently evals the cell contents directly or code from an arbitrary brew file (see R/get_plotting_function_brew.R).

The risk here is that running create_info_site without carefully inspecting plot_indicators.csv and any .brew templates referenced therein might lead one to execute unexpected R code. It's no worse than copy-pasting an R script from the internet in the first place, but it's worth noting that we could improve this by sanitizing the input or running it in some sort of sandbox.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion/question triage:MEH
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@7yl4r