Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: YQ command validation and testing #1230

Open
tspearconquest opened this issue May 29, 2022 · 1 comment
Open

Feature request: YQ command validation and testing #1230

tspearconquest opened this issue May 29, 2022 · 1 comment
Labels
enhancement v4

Comments

@tspearconquest
Copy link

tspearconquest commented May 29, 2022
edited
Loading

Please describe your feature request.
I recently started working on a way to replace our CI pipeline code that leverages sed to perform string replacement in kubernetes manifests with yq which is more purpose-built for the job.

It occurred to me that yq has a lot of advanced functionality, and I found while I was testing today that its pretty easy to make a mistake and end up creating fields that you didn't intend to, which leads me to think that it may be possible to find vulnerabilities in yq expressions that I write.

For example, malicious actors may take advantage of inexperienced yq users' mistakes via a CI pipeline if the user is not careful, which can introduce flaws into a system by injecting some additional fields. For example, I could foresee a malicious container being injected into a multi-document kubernetes manifest which then leads to exploiting some application and elevating privileges via the sidecar.

Describe the solution you'd like
So I wanted to ask for either of the following:

  • A way to run diffs against yq changes that will highlight what is happening without needing to rely on git, so that we can analyze diffs in shell or in a CI pipeline that may be containerized with yq available but does not have git available for security reasons.
  • Alternatively, a sandbox website similar to jqplay.org which will allow users to more easily and visually test their yq commands providing the same features as above

Describe alternatives you've considered

  • jqplay.org - which doesn't support some of the operators that yq does, like the with operator
  • googled for yq command linting but found results for linting yaml itself using yq.. lol

Additional context
I was having some trouble with a multi-document yaml file where the expression I was using to update a list in one document, was creating a blank list at the same location in other documents in the same file that I had not intended for the list to be added to. That lead to me thinking about exploitability, and that it was difficult to identify in my shell what inadvertent changes were taking place. I ended up resorting to comparing the modified and unmodified file in-tree using git diff, but this was still error-prone for large multi-document files.

I did end up finding the right way to make the update I was wanting to make without the extra fields being created elsewhere, but it took a bit before I noticed the additional fields, as I had not been expecting the addition of that field in that document in the file, and it was buried among some other changes that I had expected.
@mikefarah
Copy link
Owner

A sandbox would be pretty cool. I personally don't have the time to build something like that - but agree that it'd be neat :D

Re git diff - you can always use diff:

diff original.yaml <(yq 'cool expression' original.yaml)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement v4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikefarah @tspearconquest