Hooks are a security concern

[jhermann]

Executing the hooks means I trust the template source with anything reachable from my user account – hopefully everyone using templates with hooks does a review beforehand. 🙈

I think there should be a --hooks=abort|skip|ask|trusted option that defaults to ask – many times, users won't know the difference because templates have no hooks, but it will have their backs when it counts (becoming aware they're about to execute abitrary code).

[hackebrot]

👍

[hackebrot]

Hmm...I'm thinking about the options available to the users and the default.

IMHO skip doesn't make any sense, because the project is probably broken without hooks if set up like that. I am 👍 for skip and ask. What's your opinion on run-anyway?

Do you want to submit a PR? 😸

[hackebrot]

Hey @jhermann? 😁

[audreyfeldroy]

Some thoughts:

• I would call it something like --hook-verbosity since it might be good to reserve --hooks in case we need to pass in actual hook files or URLs or whatever in the future
• I really like ask and trusted
• I'm conflicted about skip. I could see that it may leave the project broken. I could also see some people using it if they want to look at the hook source and do the trusted actions manually.
• Would abort mean that the hook code stops running under particular conditions, e.g. deleting files/dirs outside the project dir, accessing third-party APIs? We'd have to define those conditions.

I thought about marking this as "please-help" but realized this still needs further discussion before anyone tries to implement it.

[jhermann]

abort was intended to stop the template before it actually writes anything to disk (i.e. "I want no hookish templates"). It's the opposite of trusted.

Given that skip is indeed often (but no guaranteed) a problem, another wording would be --accept-hooks=yes|ask|no.

[audreyfeldroy]

I think --accept-hooks=yes|ask|no is the clearest.

[mjscosta]

Hi, adding the options above are nice, but if you do not trust a template, you should execute it under controlled environment. And take a look at it (hooks), beforehand.

I've searched, for this issue, and came across https://firejail.wordpress.com/,https://l3net.wordpress.com/2015/09/21/firejail-a-security-sandbox-for-mozilla-firefox-part-3/, firejail.

You, can restrict directories access (via while-list), while executing cookiecutter.

[hackebrot]

Anyone up for getting this implemented? 😁

[rgreinho]

I'm up for the task, and here is a PR we can use to restart the conversation: #992.

I do have a use case where I need to ignore the hooks, therefore I would like to have the skip option implemented (which is what my PR is for actually).

--accept-hooks=yes|ask|no seems to have the consensus, shall I update my PR accordingly?