In any code executed from browser, the path / stands for the website root folder (and not the machine root folder), in usual web development best / security practices.
However, the write command in juttle (while accessing from browser through remote machine) is allowing folder access at machine level root folders, which could be a security concern.
Consider this below case:
read http -url 'https://raw.githubusercontent.com/juttle/juttle-engine/master/examples/github-tutorial/github_data.json' -format 'json'
| (
head 2;
tail 1)
| write file -file '/tmp/metadata.csv' -format 'csv'
I would expect the /tmp/ to be relative to the location where juttle-engine is running (or configured as website's root). However, after running the above snippet I am seeing the /tmp/metadata.csv under the machine's /tmp folder and not relative.
The below line on the other hand is creating the file in relative tmp folder (at website's root level):
write file -file 'tmp/metadata.csv' -format 'csv'
In any code executed from browser, the path
/stands for the website root folder (and not the machine root folder), in usual web development best / security practices.However, the
writecommand in juttle (while accessing from browser through remote machine) is allowing folder access at machine level root folders, which could be a security concern.Consider this below case:
I would expect the
/tmp/to be relative to the location where juttle-engine is running (or configured as website's root). However, after running the above snippet I am seeing the/tmp/metadata.csvunder the machine's/tmpfolder and not relative.The below line on the other hand is creating the file in relative tmp folder (at website's root level):