make the context-hook extension a "safe" extension about copier HOT 4 CLOSED

@sisp @pawamoy thank you for the context, that makes sense.

@yajo thank you for the doc suggestion, I think we can proceed with that for now. I'll close this issue in the meantime.

as always, thanks all for the fantastic project!

from copier.

I'm afraid the situation is more complex. The context hook extension cannot be compared with the Ansible core filters extension because Ansible core filters is a finite set of well-defined Jinja filters whereas the context hook extension enables arbitrary code execution of code written by template authors. Thus, auto-loading the context hook extension and excluding it from the need for the --UNSAFE, --trust flag would be unsafe. The idea behind the flag is to guarantee that a template which doesn't require it will only rely on the Jinja filters/tests that are available through Copier, which are not harmful. Tasks, migrations, and additional Jinja extensions – or context hooks registered via the the context hook extension – allow arbitrary code execution, so Copier can't provide any guarantees about the safety of a template using these features.

If your templates support updating, which is among the biggest benefits of Copier IMO, you'll sooner or later need migrations to provide a smooth update experience, so --UNSAFE, --trust will become necessary anyway. This flag is not there to scare users but to raise awareness for the possible risks of using a template with these features, so a conscious decision about using the template can be made.

from copier.

I wonder if that's even needed these days, now that we support computed values. See #229 (comment).

I'll add a FAQ entry about that.

from copier.

Author of the context-hook extension here: completely agree with @sisp. It wouldn't make sense to trust this extension by default as it allows arbitrary code execution.

from copier.