Since we render the lua configuration with jinja2 template, all string inputs in configuration should be validated or escaped. No generic str type in configuration schema(except lua section).
- new regex for IDPattern
- There are two custom types for string inputs that cannot be strictly validated.
- EscapedStr - escapes single/double quotes and newlines
- RawStr - raw representation, escapes all unicode chars and quotes
A simple example of a problem with quotes and newlines:
hostname: "')\nany_lua_code"Jinja2 template:
hostname('{cfg.hostname}')Render:
hostname('')
any_lua_codeAs a result, kresd startup fails or worse, any_lua_code may be executed.
Are there any other characters or something else I missed that can cause problems? cc @vcunat @ostava
related #715