terraform-aws-cloudtrail-to-slack icon indicating copy to clipboard operation
terraform-aws-cloudtrail-to-slack copied to clipboard

Published 20 hours ago verified publisher icon fivexl

Use of eval()

Open deyceg opened this issue 2 years ago • 2 comments

I don't see any sanitizing of custom rules so you'd be able to execute arbitrary python code.

deyceg avatar Mar 13 '22 15:03 deyceg

@deyceg Thank you for reporting this and yes eval is dangerous.

Do you see any low-hanging fruits that would help to mitigate this? I have been thinking of replacing eval with a rule engine but at the moment everything that I have seen is quite complex for comprehension and would prevent users from writing their own rules...

Andrey9kin avatar Mar 23 '22 09:03 Andrey9kin

reading it one more time now and yes, we could try to do sanitization. will look into it

Andrey9kin avatar Jun 03 '22 13:06 Andrey9kin