You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Prompted by peterjc/galaxy_mira#4 I was looking at our best practise documentation, and found it does not talk about allowing arbitrary parameters to be passed to a tool.
Despite the Galaxy framework having default character sanitisers (to block most special characters like semi colon, pipe or back-tick), my understanding is this was discouraged as a potential security hole - i.e. this field will become part of the command line string, so you have to worry about tricks like running subcommands, or ending the intended command early and running some second arbitrary command as well.
The text was updated successfully, but these errors were encountered:
I agree it is a potential security risk and it is not good for UX imho. What is the reason to do so? Is it because of too many parameters that the tool author does not want to specify in detail?
Basically that's the reason. It has come up on MIRA (see pull request) and also BLAST, and that's just the examples I can think of from tools that I personally first wrapped. My preference is to add missing arguments as needed (but there are diminishing returns in effort spent and corner case usage).
Prompted by peterjc/galaxy_mira#4 I was looking at our best practise documentation, and found it does not talk about allowing arbitrary parameters to be passed to a tool.
Despite the Galaxy framework having default character sanitisers (to block most special characters like semi colon, pipe or back-tick), my understanding is this was discouraged as a potential security hole - i.e. this field will become part of the command line string, so you have to worry about tricks like running subcommands, or ending the intended command early and running some second arbitrary command as well.
The text was updated successfully, but these errors were encountered: