Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CEL injection to WhenExpression.CEL from params, results #7316

Open
Yongxuanzhang opened this issue Oct 31, 2023 · 0 comments
Open

Prevent CEL injection to WhenExpression.CEL from params, results #7316

Yongxuanzhang opened this issue Oct 31, 2023 · 0 comments
Assignees
@Yongxuanzhang
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Yongxuanzhang
Copy link
Member

CEL expression is introduced v0.53. We need to make sure that CEL cannot be injected in variable substitution. This is a corner case of a CEL that it can be evaluated which is not expected:

"'+('release/v1'.matches('release/.*') ? 'true' : 'false') +'"

One possible solution is to AST traversal and do the string replacements there.
@Yongxuanzhang Yongxuanzhang self-assigned this Oct 31, 2023
@Yongxuanzhang Yongxuanzhang added the kind/bug Categorizes issue or PR as related to a bug. label Oct 31, 2023
@Yongxuanzhang Yongxuanzhang changed the title Make sure params, results cannot pass valid CEL expression to WhenExpression.CEL Prevent CEL injection to WhenExpression.CEL from params, results Nov 3, 2023
@Yongxuanzhang Yongxuanzhang mentioned this issue Nov 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Yongxuanzhang Yongxuanzhang

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Yongxuanzhang