Skip to content

Add a note to the specification for implementations to NOT evaluate jq expressions on user's input #1162

Description

@ricardozanini

Make it explicitly that jq expressions MUST be evaluated ONLY on the workflows definitions and NOT on user's input.

Having user's to submit workflow data to a workflow runtime that contains jq expressions on it, open a huge security breach on their systems. Regular Expressions, for instance, can be used to exploit system data and resources.

Workflows should evaluate jq expressions ONLY on the definitions itself, not on user's input.

Metadata

Metadata

Assignees

Labels

area: specChanges in the Specificationchange: documentationImprovements or additions to documentation. It won't impact a version change.

Type

Fields

No fields configured for Task.

Projects

Status
Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions