Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand "Security" Section of Readme #41

Open
kurttomlinson opened this issue Nov 25, 2015 · 1 comment
Open

Expand "Security" Section of Readme #41

kurttomlinson opened this issue Nov 25, 2015 · 1 comment

Comments

@kurttomlinson
Copy link

Please add more detail to the security section of the Readme. It'd be useful to have some example code showing how to safely use user-provided templates. I'd also like to know what the vulnerabilities are, generally.

My current plan to avoid security issues in using user-provided templates is to serialize and then deserialize any objects that I pass to template.call(). Would that be enough to remove filesystem and database access in a Rails environment?

Finally, I'll use a whitelist to limit the fields that I allow to be reserialized before passing the object to template.call() so the users can't read any variables that I don't want to make public.

Thanks!
@ryanwjackson
Copy link

Has there been any progress on this? Would be awesome to know how to handle user-provided templates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryanwjackson @kurttomlinson