Conversation
The user-writable targets_modified/ overlay was executed as code via three routes reachable by non-admin users: table definitions (ERB + GENERIC eval), cmd/tlm definitions (overlaid by setup_targets), and Script Runner suite analysis. Read table/cmd-tlm definitions from the read-only targets/ tree only, require admin to write the cmd_tlm overlay (rejecting non-canonical keys), and gate suite analysis at the script_run tier. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3488 +/- ##
==========================================
+ Coverage 78.72% 79.33% +0.61%
==========================================
Files 483 690 +207
Lines 35619 57508 +21889
Branches 728 728
==========================================
+ Hits 28041 45624 +17583
- Misses 7500 11806 +4306
Partials 78 78
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
PR #3488 gated only the presigned-upload writer. Table.save/save_as/ generate/destroy reach the same targets_modified/<TARGET>/cmd_tlm/... overlay via TargetFile.create, gated only by authorization('system'), which under Enterprise RBAC every role down to Viewer holds. That overlay is ERB-rendered (and eval'd via GENERIC_*_CONVERSION) as code at load, so a non-admin could inject code. Add a shared authorize_overlay_write choke point requiring admin for cmd_tlm paths, failing closed on non-canonical names, mirroring storage_controller#non_admin_config_overlay_write?. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ryanmelt
left a comment
There was a problem hiding this comment.
This isn't the right fix. ERB rendering should only be in plugin install, and removed everywhere else.
Config files are ERB-rendered once at plugin install (TargetModel#deploy) and stored rendered in the targets bucket. Runtime parse paths (PacketConfig, Target, TableConfig) now pass run_erb=false so the user-writable targets_modified overlay is treated as data, never executed as code. Back out the read-path original: gating in favor of this approach; retain cmd_tlm overlay write gating, which also covers the separate GenericConversion eval-at-decom vector. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Note that we still have to handle |



The user-writable targets_modified/ overlay was executed as code via three routes reachable by non-admin users: table definitions (ERB + GENERIC eval), cmd/tlm definitions (overlaid by setup_targets), and Script Runner suite analysis. Read table/cmd-tlm definitions from the read-only targets/ tree only, require admin to write the cmd_tlm overlay (rejecting non-canonical keys), and gate suite analysis at the script_run tier.
🤖 Generated with Claude Code