manager: datamodel: validate or escape strings in datamodel
Since we render the lua configuration with jinja2 template, all string inputs in configuration should be validated or escaped.
- No
str
type in configuration (except forlua/script
). -
EscapedStr - custom type that escapes quotes and others..
- .multiline() for multiline string in Lua
- new types IDPattern, PinSha256, EscapedStr32B
- base types refactored
A simple example of a problem with quotes and newlines:
hostname: "')\nany_lua_code"
Jinja2 template:
hostname('{cfg.hostname}')
Render:
hostname('')
any_lua_code
As a result, kresd
startup fails or worse, any_lua_code
may be executed.
Are there any other characters or something else I missed that can cause problems? cc @vcunat @ostava
related #715 (closed)
Edited by Aleš Mrázek