From 06517a463ecb7c1934aa25d29711cd41e47f9ab4 Mon Sep 17 00:00:00 2001 From: Mike Farah Date: Sat, 22 Nov 2025 15:01:51 +1100 Subject: [PATCH] v4.49.1 --- operators/env-variable-operators.md | 39 ++++++++++++++++++ operators/load.md | 64 +++++++++++++++++++++++++++++ usage/toml.md | 21 ++++++++++ 3 files changed, 124 insertions(+) diff --git a/operators/env-variable-operators.md b/operators/env-variable-operators.md index c616f66c..4c39a216 100644 --- a/operators/env-variable-operators.md +++ b/operators/env-variable-operators.md @@ -29,6 +29,9 @@ as follows: yq '(.. | select(tag == "!!str")) |= envsubst' file.yaml ``` +## Disabling env operators +If required, you can use the `--security-disable-env-ops` to disable env operations. + ## Read string environment variable Running @@ -254,3 +257,39 @@ will output Error: variable ${notThere} not set ``` +## env() operation fails when security is enabled +Use `--security-disable-env-ops` to disable env operations for security. + +Running +```bash +yq --null-input 'env("MYENV")' +``` +will output +```bash +Error: env operations have been disabled +``` + +## strenv() operation fails when security is enabled +Use `--security-disable-env-ops` to disable env operations for security. + +Running +```bash +yq --null-input 'strenv("MYENV")' +``` +will output +```bash +Error: env operations have been disabled +``` + +## envsubst() operation fails when security is enabled +Use `--security-disable-env-ops` to disable env operations for security. + +Running +```bash +yq --null-input '"value: ${MYENV}" | envsubst' +``` +will output +```bash +Error: env operations have been disabled +``` + diff --git a/operators/load.md b/operators/load.md index dc0463aa..588e0076 100644 --- a/operators/load.md +++ b/operators/load.md @@ -47,6 +47,10 @@ this.is = a properties file bXkgc2VjcmV0IGNoaWxsaSByZWNpcGUgaXMuLi4u ``` +## Disabling file operators +If required, you can use the `--security-disable-file-ops` to disable file operations. + + ## Simple example Given a sample.yml file of: ```yaml @@ -194,3 +198,63 @@ cool: things more_stuff: my secret chilli recipe is.... ``` +## load() operation fails when security is enabled +Use `--security-disable-file-ops` to disable file operations for security. + +Running +```bash +yq --null-input 'load("../../examples/thing.yml")' +``` +will output +```bash +Error: file operations have been disabled +``` + +## load_str() operation fails when security is enabled +Use `--security-disable-file-ops` to disable file operations for security. + +Running +```bash +yq --null-input 'load_str("../../examples/thing.yml")' +``` +will output +```bash +Error: file operations have been disabled +``` + +## load_xml() operation fails when security is enabled +Use `--security-disable-file-ops` to disable file operations for security. + +Running +```bash +yq --null-input 'load_xml("../../examples/small.xml")' +``` +will output +```bash +Error: file operations have been disabled +``` + +## load_props() operation fails when security is enabled +Use `--security-disable-file-ops` to disable file operations for security. + +Running +```bash +yq --null-input 'load_props("../../examples/small.properties")' +``` +will output +```bash +Error: file operations have been disabled +``` + +## load_base64() operation fails when security is enabled +Use `--security-disable-file-ops` to disable file operations for security. + +Running +```bash +yq --null-input 'load_base64("../../examples/base64.txt")' +``` +will output +```bash +Error: file operations have been disabled +``` + diff --git a/usage/toml.md b/usage/toml.md index 72773383..7cc4c375 100644 --- a/usage/toml.md +++ b/usage/toml.md @@ -104,6 +104,27 @@ owner: suburb: nice ``` +## Parse: Array of Array Table +Given a sample.toml file of: +```toml + +[[fruits]] +name = "apple" +[[fruits.varieties]] # nested array of tables +name = "red delicious" +``` +then +```bash +yq -oy '.' sample.toml +``` +will output +```yaml +fruits: + - name: apple + varieties: + - name: red delicious +``` + ## Parse: Empty Table Given a sample.toml file of: ```toml