`to_code` does not check whether components names are valid Python variable names #3855

ZanSara · 2023-01-12T17:47:21Z

Describe the bug

Pipeline.to_code trusts blindly that the name of each component can be used as a valid Python variable name.
This leads to the possibility of generating arbitrary code through proper naming of the components, see Generate code from pipeline (pipeline.to_code()) #2214 (comment)

Solution:
to_code should clean the compoent names before using them.

it could use unicodedata.category() to filter out control characters, for example.
It could also apply a strong regex on component names and replace anything that is not alphanumeric with an underscore.

The text was updated successfully, but these errors were encountered:

ZanSara added type:bug Something isn't working topic:pipeline labels Jan 12, 2023

ZanSara mentioned this issue Jan 12, 2023

fix: remove string validation in YAML #3854

Merged

4 tasks

ZanSara added the topic:security relevant to Haystack's threat model label Jan 25, 2023

masci added the P2 Medium priority, add to the next sprint if no P1 available label Feb 8, 2023

julian-risch added the Contributions wanted! Looking for external contributions label Mar 13, 2023

masci removed the Contributions wanted! Looking for external contributions label Dec 13, 2023

masci added P3 Low priority, leave it in the backlog 1.x and removed P2 Medium priority, add to the next sprint if no P1 available labels Jan 8, 2024

masci added the wontfix This will not be worked on label Feb 23, 2024

masci closed this as completed Feb 23, 2024

Provide feedback