Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flag potential security risks in extensions #85

Closed
mhalle opened this issue Jun 19, 2023 · 2 comments
Closed

Flag potential security risks in extensions #85

mhalle opened this issue Jun 19, 2023 · 2 comments

Comments

@mhalle
Copy link

mhalle commented Jun 19, 2023
edited
Loading

Several extensions offer functionality through select that may pose a security risk if used in an environment that allows arbitrary queries.

These extensions should be flagged as potential risks in their documentation.

For example, fileio operations could permit arbitrary access to the file system. env operations could allow access to private information such as secret values set using environment variables.

While accessing these extensions requires that they be explicitly loaded, a naive client app may do so without consideration of the potential security risks. A prominent warning in the documentation may be a suitable safety measure, though other precautions may be warranted.

E
@jlarmstrongiv
Copy link

Another such function is eval()

@nalgeon
Copy link
Owner

nalgeon commented Sep 23, 2023

I believe that the extension documentation explains the functionality enough for a user to make an informed decision.

@nalgeon nalgeon closed this as completed Sep 23, 2023
@LifeCANvs LifeCANvs mentioned this issue Jun 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mhalle @nalgeon @jlarmstrongiv