Comments (4)
@sisp @pawamoy thank you for the context, that makes sense.
@yajo thank you for the doc suggestion, I think we can proceed with that for now. I'll close this issue in the meantime.
as always, thanks all for the fantastic project!
from copier.
I'm afraid the situation is more complex. The context hook extension cannot be compared with the Ansible core filters extension because Ansible core filters is a finite set of well-defined Jinja filters whereas the context hook extension enables arbitrary code execution of code written by template authors. Thus, auto-loading the context hook extension and excluding it from the need for the --UNSAFE, --trust
flag would be unsafe. The idea behind the flag is to guarantee that a template which doesn't require it will only rely on the Jinja filters/tests that are available through Copier, which are not harmful. Tasks, migrations, and additional Jinja extensions – or context hooks registered via the the context hook extension – allow arbitrary code execution, so Copier can't provide any guarantees about the safety of a template using these features.
If your templates support updating, which is among the biggest benefits of Copier IMO, you'll sooner or later need migrations to provide a smooth update experience, so --UNSAFE, --trust
will become necessary anyway. This flag is not there to scare users but to raise awareness for the possible risks of using a template with these features, so a conscious decision about using the template can be made.
from copier.
I wonder if that's even needed these days, now that we support computed values. See #229 (comment).
I'll add a FAQ entry about that.
from copier.
Author of the context-hook extension here: completely agree with @sisp. It wouldn't make sense to trust this extension by default as it allows arbitrary code execution.
from copier.
Related Issues (20)
- latest v9 release missing from pypi HOT 1
- pyyaml-include is GPL3, doesn't that poison your MIT project? HOT 2
- Uses deprecated `onerror` parameter of `shutil.rmtree` in Python >= 3.12
- Custom `block_start_string` (and others) in `_envops` fail if empty `_templates_suffix` used. HOT 12
- Ability to define safe/unsafe modes and force to ignore _tasks
- Tasks are executed in temporary folder HOT 3
- Error messages not clear enough HOT 3
- Copier copy does not create `.copier-answers.yml` file nor adds any reference to the original template (`TypeError: Template not found`) HOT 4
- Make `mypy copier --strict` pass HOT 3
- Make PR checks for Python 3.12 required HOT 2
- Workflow for updating from a local clone of a template HOT 7
- Add template preview HOT 4
- Rewrite tracebacks to include template lines HOT 1
- Before rendering a file, add `_template_file` and `_this_file` to the context HOT 8
- Ask question only once HOT 3
- Fix documentation link in Github Repo HOT 1
- Using --data with a multiselect based choice HOT 5
- --default should just ask for missing answers, regardless of whether there's a default answer in the template HOT 8
- json dump of _copier_conf not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from copier.