Security question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security question

1marc1
Hi team,

I understand it is possible to run asciidoctor in various security/safe modes that - for example - disable include:: directives.

I have been searching everywhere but cannot find an example of how including a file could cause a risk.

I understand the general concept, but fail to see how an included code could be executed by asciidoctor.

Marc.
Reply | Threaded
Open this post in threaded view
|

Re: Security question

mojavelinux
Administrator
Marc,

You're correct that Asciidoctor never executes files, so that's not the issue here. It's more than Asciidoctor could reach into the root of the filesystem and read files that reveal information about system. This is primarily an issue when Asciidoctor is invoked through a web application, such as GitHub. And that's exactly the use case for which the security feature was designed. It definitely errs on the side of paranoid, but that's what GitHub required in order for Asciidoctor to run there.

If you're using Asciidoctor on your own machine and running it as your own user, there's hardly any reason not to use unsafe mode. Though, I tend to prefer the safe mode setting myself just to be...safe.

Cheers,

-Dan

On Wed, Apr 18, 2018 at 4:28 PM 1marc1 [via Asciidoctor :: Discussion] <[hidden email]> wrote:
Hi team,

I understand it is possible to run asciidoctor in various security/safe modes that - for example - disable include:: directives.

I have been searching everywhere but cannot find an example of how including a file could cause a risk.

I understand the general concept, but fail to see how an included code could be executed by asciidoctor.

Marc.


If you reply to this email, your message will be added to the discussion below:
http://discuss.asciidoctor.org/Security-question-tp6257.html
To start a new topic under Asciidoctor :: Discussion, email [hidden email]
To unsubscribe from Asciidoctor :: Discussion, click here.
NAML


--
Dan Allen | @mojavelinux | https://twitter.com/mojavelinux