modules: read cue.mod/module.cue in data-only mode #3138
Assignees
Labels
FeatureRequest
New feature or request
modules
Issues related to CUE modules and the experimental implementation
Security
Comments
myitcv
added
FeatureRequest
cueckoo
pushed a commit
that referenced
this issue
May 13, 2024
This reduces the surface for denial of service attacks involving arbitrary computations via the module.cue file. Fixes #3138. Signed-off-by: Roger Peppe <rogpeppe@gmail.com> Change-Id: If58c8d3a7b05a657543909bf9d1ebaaf4296d039
cueckoo
pushed a commit
that referenced
this issue
May 13, 2024
This reduces the surface for denial of service attacks involving arbitrary computations via the module.cue file. Fixes #3138. Signed-off-by: Roger Peppe <rogpeppe@gmail.com> Change-Id: If58c8d3a7b05a657543909bf9d1ebaaf4296d039
cueckoo
pushed a commit
that referenced
this issue
May 15, 2024
This reduces the surface for denial of service attacks involving arbitrary computations via the module.cue file. Note that we never supported non-data CUE in cue.mod/module.cue; commands like `cue mod tidy` and `cue mod get` assumed plain CUE data so that they could modify some fields and write the file back to disk. Fixes #3138. Signed-off-by: Roger Peppe <rogpeppe@gmail.com> Change-Id: If58c8d3a7b05a657543909bf9d1ebaaf4296d039
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently module.cue files can contain arbitrary CUE, including references, stdlib imports, comprehensions etc.
As the module.cue file is necessary metadata required before doing any CUE work, this lays open the
tooling to potential DoS attacks and also makes the file less amenable to automatic edits, which is an
importand requirement of module tooling.
We should parse the module.cue file in data-only mode to avoid these potential pitfalls.
The text was updated successfully, but these errors were encountered: