Thanks Daniel, Indeed, these possible security issues are not obvious to everyone. Disabling unsafe features is indeed a convenient way to make them prominent.
Jacques Le 11/10/2020 à 20:42, Daniel Dekany a écrit :
I noticed that ?api and ?new are by default disabled in freemarker-generator. However, freemarker-generator is inherently unsafe, as it has tools.freemarker.objectConstructor, and tools.freemarker.statics. For a command-line tool that's probably fine, but then above two configuration settings should be left on their convenient defaults as well. In general, allowing someone to specify arbitrary command line arguments to freemarker-generator CLI means that they can do pretty much anything (as they can provide an arbitrary template with the -i option, then access the tools). Again, I think such risk is expected from a command line tool, but it's better if we are conscious about this.
