-
Command Injection: Netsuke automatically shell-escapes variables interpolated into
command:strings unless the| rawJinja filter is explicitly used. Avoid| rawunless you fully trust the variable's content. File paths fromglobor placeholders like{{ ins }}/{{ outs }}are quoted safely. -
script:Execution: Scripts run via the specified interpreter (defaulting tosh -e). Ensure scripts handle inputs safely. -
Impure Functions/Filters:
env(),glob(),fetch(),shell(),grep()interact with the environment or network. Be mindful when using them with untrusted manifest parts. Future versions might offer sandboxing options.
Always review Netsukefile manifests, especially those from untrusted sources,
before building.