Add allow_imports option to DEFINE_fiddle_config etc., default False#601
Open
copybara-service[bot] wants to merge 1 commit intomainfrom
Open
Add allow_imports option to DEFINE_fiddle_config etc., default False#601copybara-service[bot] wants to merge 1 commit intomainfrom
allow_imports option to DEFINE_fiddle_config etc., default False#601copybara-service[bot] wants to merge 1 commit intomainfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…alse` This change fixes an RCE security vulnerability that occurs if the Fiddle flags come from an untrusted or less-trusted source. This change exposes the `allow_imports` option in `DEFINE_fiddle_config`, and defaults it to `False` (previous behavior was implicitly `True`); as well as changing the default value of this option in the underlying `FiddleFlag` class from `True` to `False`. This prevents Fiddle from implicitly loading modules and executing code when dotted names are passed, such as `--config=config:foo.bar()`. **If this change broke you**: the easiest fix is to add `allow_imports=True` to your `DEFINE_fiddle_config`. This will revert your code to the previous behavior. However, if possible we recommend that you instead place all the functions you might need into one module, and set `default_module` to that. PiperOrigin-RevId: 879723838
copybara-service
bot
force-pushed
the
test_879723838
branch
from
b075a56 to
59f4cf8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
allow_importsoption toDEFINE_fiddle_configetc., defaultFalseThis change fixes an RCE security vulnerability that occurs if the Fiddle flags come from an untrusted or less-trusted source.
This change exposes the
allow_importsoption inDEFINE_fiddle_config, and defaults it toFalse(previous behavior was implicitlyTrue); as well as changing the default value of this option in the underlyingFiddleFlagclass fromTruetoFalse. This prevents Fiddle from implicitly loading modules and executing code when dotted names are passed, such as--config=config:foo.bar().If this change broke you: the easiest fix is to add
allow_imports=Trueto yourDEFINE_fiddle_config. This will revert your code to the previous behavior. However, if possible we recommend that you instead place all the functions you might need into one module, and setdefault_moduleto that.