Is passing user-controlled expressions to yq secure?

[MaeIsBad]

I would like to use yq to modify a user-supplied yaml file, with a user-supplied expression.
I can see that yq allows access to environment variable, which is easy enough to work around, by clearing the env before running. Can the expression interact with the os in any other way I've missed(read/write files, execute binaries, make http requests, etc.)?

[mikefarah]

I wouldn't recommend it - it wasn't designed for that and I can't guarantee any security for allowing end users to provide expressions. It would be like allowing end users to specify there own SQL query.

• yq can access environment variables, which you have already identified
• yq can access files on the operating system, via the load expression - https://mikefarah.gitbook.io/yq/operators/load
• it doesn't make http calls
• there's probably other sneaky stuff you could do in the expression that I'm not aware of; possibly issues in underlying libraries; that expose security vulnerabilities

If you had to do it, I'd run yq in a container (e.g. docker/podman/vm) and make sure it only had access to files you want it to have access to, turn off networking (see the note here https://github.com/mikefarah/yq?tab=readme-ov-file#run-with-docker-or-podman), don't pass it environment variable etc. There's probably other things you could lock down as well. This may still have security vulnerabilities that I'm not aware of.