top | item 22213564

(no title)

https://get-ytt.io (i am one of the authors), one of the tools that inspired yglu, has been designed from ground up with an eye towards security even though its turing complete.

it is based on starlark which is a runtime that does not have facilities to do networking, fs access, etc. building on that, ytt does not allow/provide any kind of non-deterministic operations (access to time, disk, network, random, etc). it expects user to specify explicitly which files to load via -f flag (ie ytt template cannot load random template from fs).

there are several computation attacks that are currently possible (eg infinite loop) but that could be easily addressed thru global timeout for example.

check out interactive playground at https://get-ytt.io

discuss

No comments yet.