Compare commits

..

No commits in common. "62d28d54959751eaae752d7550de8989fbdec5e1" and "e10e8127e1cb4986691c70aa7c7164e7cc75b81e" have entirely different histories.

5 changed files with 43 additions and 75 deletions

View File

@ -213,6 +213,10 @@ yq -P -oy sample.json
rootCmd.PersistentFlags().BoolVarP(&yqlib.ConfiguredSecurityPreferences.DisableEnvOps, "security-disable-env-ops", "", false, "Disable env related operations.")
rootCmd.PersistentFlags().BoolVarP(&yqlib.ConfiguredSecurityPreferences.DisableFileOps, "security-disable-file-ops", "", false, "Disable file related operations (e.g. load)")
rootCmd.PersistentFlags().BoolVarP(&yqlib.ConfiguredSecurityPreferences.EnableSystemOps, "security-enable-system-operator", "", false, "Enable system operator to allow execution of external commands.")
rootCmd.PersistentFlags().BoolVarP(&yqlib.ConfiguredSecurityPreferences.EnableSystemOps, "enable-system-operator", "", false, "DEPRECATED: use --security-enable-system-operator instead. Enable system operator to allow execution of external commands.")
if err = rootCmd.MarkPersistentFlagDeprecated("enable-system-operator", "use --security-enable-system-operator instead."); err != nil {
panic(err)
}
rootCmd.AddCommand(
createEvaluateSequenceCommand(),

View File

@ -2,26 +2,22 @@
The `system` operator allows you to run an external command and use its output as a value in your expression.
**Security warning**: The system operator is disabled by default. You must explicitly pass `--security-enable-system-operator` to use it.
**Note:** When enabled, the system operator can replicate the functionality of `env` and `load`
operators via external commands. Enabling it effectively overrides `--security-disable-env-ops`
and `--security-disable-file-ops`.
**Security warning**: The system operator is disabled by default. You must explicitly pass `--enable-system-operator` to use it.
## Usage
```bash
yq --security-enable-system-operator --null-input '.field = system("command"; "arg1")'
yq --enable-system-operator --null-input '.field = system("command"; "arg1")'
```
The operator takes:
- A command string (required)
- An argument (or an array of arguments), separated from the command by `;` (optional)
- An argument or array of arguments separated by `;` (optional)
The current matched node's value is serialised and piped to the command via stdin. The command's stdout (with trailing newline stripped) is returned as a string.
## Disabling the system operator
The system operator is disabled by default. When disabled, an error is returned instead of running the command, consistent with `--security-disable-env-ops` and `--security-disable-file-ops`.
The system operator is disabled by default. When disabled, a warning is logged and `null` is returned instead of running the command.
Use `--security-enable-system-operator` flag to enable it.
Use `--enable-system-operator` flag to enable it.

View File

@ -2,32 +2,28 @@
The `system` operator allows you to run an external command and use its output as a value in your expression.
**Security warning**: The system operator is disabled by default. You must explicitly pass `--security-enable-system-operator` to use it.
**Note:** When enabled, the system operator can replicate the functionality of `env` and `load`
operators via external commands. Enabling it effectively overrides `--security-disable-env-ops`
and `--security-disable-file-ops`.
**Security warning**: The system operator is disabled by default. You must explicitly pass `--enable-system-operator` to use it.
## Usage
```bash
yq --security-enable-system-operator --null-input '.field = system("command"; "arg1")'
yq --enable-system-operator --null-input '.field = system("command"; "arg1")'
```
The operator takes:
- A command string (required)
- An argument (or an array of arguments), separated from the command by `;` (optional)
- An argument or array of arguments separated by `;` (optional)
The current matched node's value is serialised and piped to the command via stdin. The command's stdout (with trailing newline stripped) is returned as a string.
## Disabling the system operator
The system operator is disabled by default. When disabled, an error is returned instead of running the command, consistent with `--security-disable-env-ops` and `--security-disable-file-ops`.
The system operator is disabled by default. When disabled, a warning is logged and `null` is returned instead of running the command.
Use `--security-enable-system-operator` flag to enable it.
Use `--enable-system-operator` flag to enable it.
## system operator returns error when disabled
Use `--security-enable-system-operator` to enable the system operator.
## system operator returns null when disabled
Use `--enable-system-operator` to enable the system operator.
Given a sample.yml file of:
```yaml
@ -38,12 +34,12 @@ then
yq '.country = system("/usr/bin/echo"; "test")' sample.yml
```
will output
```bash
Error: system operations are disabled, use --security-enable-system-operator to enable
```yaml
country: null
```
## Run a command with an argument
Use `--security-enable-system-operator` to enable the system operator.
Use `--enable-system-operator` to enable the system operator.
Given a sample.yml file of:
```yaml
@ -51,7 +47,7 @@ country: Australia
```
then
```bash
yq --security-enable-system-operator '.country = system("/usr/bin/echo"; "test")' sample.yml
yq --enable-system-operator '.country = system("/usr/bin/echo"; "test")' sample.yml
```
will output
```yaml
@ -67,7 +63,7 @@ a: hello
```
then
```bash
yq --security-enable-system-operator '.a = system("/usr/bin/echo")' sample.yml
yq --enable-system-operator '.a = system("/usr/bin/echo")' sample.yml
```
will output
```yaml

View File

@ -8,37 +8,18 @@ import (
"strings"
)
func resolveSystemArgs(argsNode *CandidateNode) ([]string, error) {
if argsNode == nil {
return nil, nil
}
func resolveSystemArgs(argsNode *CandidateNode) []string {
if argsNode.Kind == SequenceNode {
args := make([]string, 0, len(argsNode.Content))
for _, child := range argsNode.Content {
// Only non-null scalar children are valid arguments.
if child == nil {
continue
}
if child.Kind != ScalarNode || child.Tag == "!!null" {
return nil, fmt.Errorf("system operator: argument must be a non-null scalar; got kind=%v tag=%v", child.Kind, child.Tag)
}
args = append(args, child.Value)
}
if len(args) == 0 {
return nil, nil
}
return args, nil
return args
}
// Single-argument case: only accept a non-null scalar node.
if argsNode.Tag == "!!null" {
return nil, nil
if argsNode.Tag != "!!null" {
return []string{argsNode.Value}
}
if argsNode.Kind != ScalarNode {
return nil, fmt.Errorf("system operator: args must be a non-null scalar or sequence of non-null scalars; got kind=%v tag=%v", argsNode.Kind, argsNode.Tag)
}
return []string{argsNode.Value}, nil
return nil
}
func resolveCommandNode(commandNodes Context) (string, error) {
@ -49,7 +30,7 @@ func resolveCommandNode(commandNodes Context) (string, error) {
log.Debugf("system operator: command expression returned %d results, using first", commandNodes.MatchingNodes.Len())
}
cmdNode := commandNodes.MatchingNodes.Front().Value.(*CandidateNode)
if cmdNode.Kind != ScalarNode || cmdNode.guessTagFromCustomType() != "!!str" {
if cmdNode.Kind != ScalarNode || cmdNode.Tag == "!!null" {
return "", fmt.Errorf("system operator: command must be a string scalar")
}
if cmdNode.Value == "" {
@ -60,7 +41,13 @@ func resolveCommandNode(commandNodes Context) (string, error) {
func systemOperator(d *dataTreeNavigator, context Context, expressionNode *ExpressionNode) (Context, error) {
if !ConfiguredSecurityPreferences.EnableSystemOps {
return Context{}, fmt.Errorf("system operations are disabled, use --security-enable-system-operator to enable")
log.Warning("system operator is disabled, use --enable-system-operator flag to enable")
results := list.New()
for el := context.MatchingNodes.Front(); el != nil; el = el.Next() {
candidate := el.Value.(*CandidateNode)
results.PushBack(candidate.CreateReplacement(ScalarNode, "!!null", "null"))
}
return context.ChildContext(results), nil
}
// determine at parse time whether we have (command; args) or just (command)
@ -90,14 +77,8 @@ func systemOperator(d *dataTreeNavigator, context Context, expressionNode *Expre
if err != nil {
return Context{}, err
}
if argsNodes.MatchingNodes.Len() > 1 {
log.Debugf("system operator: args expression returned %d results, using first", argsNodes.MatchingNodes.Len())
}
if argsNodes.MatchingNodes.Front() != nil {
args, err = resolveSystemArgs(argsNodes.MatchingNodes.Front().Value.(*CandidateNode))
if err != nil {
return Context{}, err
}
args = resolveSystemArgs(argsNodes.MatchingNodes.Front().Value.(*CandidateNode))
}
} else {
commandNodes, err := d.GetMatchingNodes(nodeContext, expressionNode.RHS)

View File

@ -16,11 +16,13 @@ func findExec(t *testing.T, name string) string {
var systemOperatorDisabledScenarios = []expressionScenario{
{
description: "system operator returns error when disabled",
subdescription: "Use `--security-enable-system-operator` to enable the system operator.",
description: "system operator returns null when disabled",
subdescription: "Use `--enable-system-operator` to enable the system operator.",
document: "country: Australia",
expression: `.country = system("/usr/bin/echo"; "test")`,
expectedError: "system operations are disabled, use --security-enable-system-operator to enable",
expected: []string{
"D0, P[], (!!map)::country: null\n",
},
},
}
@ -52,8 +54,8 @@ func TestSystemOperatorEnabledScenarios(t *testing.T) {
scenarios := []expressionScenario{
{
description: "Run a command with an argument",
subdescription: "Use `--security-enable-system-operator` to enable the system operator.",
yqFlags: "--security-enable-system-operator",
subdescription: "Use `--enable-system-operator` to enable the system operator.",
yqFlags: "--enable-system-operator",
document: "country: Australia",
expression: `.country = system("` + echoPath + `"; "test")`,
expected: []string{
@ -63,7 +65,7 @@ func TestSystemOperatorEnabledScenarios(t *testing.T) {
{
description: "Run a command without arguments",
subdescription: "Omit the semicolon and args to run the command with no extra arguments.",
yqFlags: "--security-enable-system-operator",
yqFlags: "--enable-system-operator",
document: "a: hello",
expression: `.a = system("` + echoPath + `")`,
expected: []string{
@ -103,17 +105,6 @@ func TestSystemOperatorEnabledScenarios(t *testing.T) {
expression: `.a = system(null)`,
expectedError: "system operator: command must be a string scalar",
},
{
description: "System operator processes multiple matched nodes",
skipDoc: true,
document: "a: first",
document2: "a: second",
expression: `.a = system("` + echoPath + `"; "replaced")`,
expected: []string{
"D0, P[], (!!map)::a: replaced\n",
"D0, P[], (!!map)::a: replaced\n",
},
},
}
for _, tt := range scenarios {