Flag to disable expressions external loading

zix99 · May 19, 2024 · ed74886 · ed74886
1 parent f4880a8
commit ed74886
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 1 deletion.
diff --git a/docs/usage/expressions.md b/docs/usage/expressions.md
@@ -278,6 +278,9 @@ Syntax: `{load "filename"}`
 
 Loads a given filename as text.
 
+To globally disable file loading in expressions for security reasons, specify
+`--noload` as global argument.
+
 #### Lookup, HasKey
 
 Syntax: `{lookup key "kv-pairs" ["commentPrefix"]}`, `{haskey key "kv-pairs" ["commentPrefix"]}`

diff --git a/main.go b/main.go
@@ -7,6 +7,7 @@ import (
 	"rare/cmd"
 	"rare/cmd/helpers"
 	"rare/pkg/color"
+	"rare/pkg/expressions/stdlib"
 	"rare/pkg/fastregex"
 	"rare/pkg/humanize"
 	"rare/pkg/logger"
@@ -58,6 +59,11 @@ func buildApp() *cli.App {
 			Aliases: []string{"nu"},
 			Usage:   "Disable usage of unicode characters",
 		},
+		&cli.BoolFlag{
+			Name:    "noload",
+			Aliases: []string{"nl"},
+			Usage:   "Disable external file loading in expressions",
+		},
 		&cli.BoolFlag{
 			Name:  "color",
 			Usage: "Force-enable color output",
@@ -102,6 +108,9 @@ func buildApp() *cli.App {
 		if c.Bool("nounicode") {
 			termunicode.UnicodeEnabled = false
 		}
+		if c.Bool("noload") {
+			stdlib.DisableLoad = true
+		}
 		return nil
 	})
 

diff --git a/pkg/expressions/stdlib/funcsLookups.go b/pkg/expressions/stdlib/funcsLookups.go
@@ -8,9 +8,15 @@ import (
 	"strings"
 )
 
+var DisableLoad = false
+
 // {load "filename"}
 // loads static file as string
 func kfLoadFile(args []expressions.KeyBuilderStage) (expressions.KeyBuilderStage, error) {
+	if DisableLoad {
+		return stageErrorf(ErrFile, "loading disabled")
+	}
+
 	if len(args) != 1 {
 		return stageErrArgCount(args, 1)
 	}

diff --git a/pkg/expressions/stdlib/funcsLookups_test.go b/pkg/expressions/stdlib/funcsLookups_test.go
@@ -1,12 +1,19 @@
 package stdlib
 
-import "testing"
+import (
+	"rare/pkg/testutil"
+	"testing"
+)
 
 func TestLoadFile(t *testing.T) {
 	testExpression(t, mockContext(), "{load ../../../cmd/testdata/graph.txt}", "bob 22\njack 93\njill 3\nmaria 19")
 	testExpressionErr(t, mockContext(), "{load {0}}", "<CONST>", ErrConst)
 	testExpressionErr(t, mockContext(), "{load a b}", "<ARGN>", ErrArgCount)
 	testExpressionErr(t, mockContext(), "{load notarealfile.txt}", "<FILE>", ErrFile)
+
+	testutil.SwitchGlobal(&DisableLoad, true)
+	defer testutil.RestoreGlobals()
+	testExpressionErr(t, mockContext(), "{load ../../../cmd/testdata/graph.txt}", "<FILE>", ErrFile)
 }
 
 func TestLookup(t *testing.T) {