Put `Fn::Eval` behind CLI switch

Open monken opened this issue 1 year ago • 2 comments

I would want cfn-include to remain clear of eval unless explicitly enabled through a CLI switch. A template could contain malicious code in the eval block and we would happily execute it. Instead, I'd suggest we would fail the Fn::Eval block and ask the user to pass a --eval switch to the CLI to enabled it. @nmccready what are your thoughts? Any other risky functions you can think of?

May 28 '24 16:05 monken

Fine with me I believe that’s the only one.

May 28 '24 16:05 nmccready

This also includes Fn::IfEval as well

May 29 '24 19:05 nmccready

Done https://github.com/monken/cfn-include/pull/63

Aug 24 '24 02:08 nmccready