-
-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flag potential security risks in extensions #85
Comments
Another such function is |
I believe that the extension documentation explains the functionality enough for a user to make an informed decision. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Several extensions offer functionality through
select
that may pose a security risk if used in an environment that allows arbitrary queries.These extensions should be flagged as potential risks in their documentation.
For example,
fileio
operations could permit arbitrary access to the file system.env
operations could allow access to private information such as secret values set using environment variables.While accessing these extensions requires that they be explicitly loaded, a naive client app may do so without consideration of the potential security risks. A prominent warning in the documentation may be a suitable safety measure, though other precautions may be warranted.
E
The text was updated successfully, but these errors were encountered: