Stop executing YAML tags for mkdocs_theme.yml, warn about third-party projects #3465
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jorgectf
approved these changes
Nov 11, 2023
| @@ -15,6 +15,8 @@ appropriate package name and install it using `pip`: | |||
| pip install mkdocs-foo-plugin | |||
| ``` | |||
|
|
|||
| WARNING: Installing an MkDocs plugin means installing a Python package and executing any code that the author has put in there. So, exercise the usual caution; there's no attempt at sandboxing. | |||
There was a problem hiding this comment.
Suggested change
| WARNING: Installing an MkDocs plugin means installing a Python package and executing any code that the author has put in there. So, exercise the usual caution; there's no attempt at sandboxing. | |
| WARNING: By installing an MkDocs plugin you are installing a Python package and executing any code embedded by the author. There's no attempt at sandboxing, so exercise the usual caution. |
There was a problem hiding this comment.
Sorry, I like my wording better :s
| @@ -196,6 +196,8 @@ theme supports the following options: | |||
|
|
|||
| A list of third party themes can be found at the [community wiki] page and [the ranked catalog][catalog]. If you have created your own, please add them there. | |||
|
|
|||
| WARNING: Installing an MkDocs theme means installing a Python package and executing any code that the author has put in there. So, exercise the usual caution; there's no attempt at sandboxing. | |||
There was a problem hiding this comment.
Suggested change
| WARNING: Installing an MkDocs theme means installing a Python package and executing any code that the author has put in there. So, exercise the usual caution; there's no attempt at sandboxing. | |
| WARNING: By installing an MkDocs plugin you are installing a Python package and executing any code embedded by the author. There's no attempt at sandboxing, so exercise the usual caution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@jorgectf
This is the outcome of #3418
Which warned about arbitrary code execution via installing a theme and that theme having malicious YAML tags.
I found that there are a lot more ways for arbitrary code execution if you install an untrusted package and import it.
As such, this change only slightly reduces the attack surface, but at the same time I don't really consider it a security issue in the first place, and I don't think it'd be useful for users to see all versions of MkDocs as having a security vulnerability and then also see that this change fixes it (but actually not really).
But I agree:
mkdocs_theme.ymlis pointless.So, the changes are in accordance to that:
Bonus change:
get_themes()