You're correct that Asciidoctor never executes files, so that's not the issue here. It's more than Asciidoctor could reach into the root of the filesystem and read files that reveal information about system. This is primarily an issue when Asciidoctor is invoked through a web application, such as GitHub. And that's exactly the use case for which the security feature was designed. It definitely errs on the side of paranoid, but that's what GitHub required in order for Asciidoctor to run there.
If you're using Asciidoctor on your own machine and running it as your own user, there's hardly any reason not to use unsafe mode. Though, I tend to prefer the safe mode setting myself just to be...safe.
On Wed, Apr 18, 2018 at 4:28 PM 1marc1 [via Asciidoctor :: Discussion] <[hidden email]> wrote:
I understand it is possible to run asciidoctor in various security/safe modes that - for example - disable include:: directives.
I have been searching everywhere but cannot find an example of how including a file could cause a risk.
I understand the general concept, but fail to see how an included code could be executed by asciidoctor.
If you reply to this email, your message will be added to the discussion below: