Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ABNF $steps does it need to access through outputs? #254

Open
adamaltman opened this issue Sep 14, 2024 · 1 comment
Open

ABNF $steps does it need to access through outputs? #254

adamaltman opened this issue Sep 14, 2024 · 1 comment

Comments

@adamaltman
Copy link
Contributor

adamaltman commented Sep 14, 2024

  1. Should ABNF restrict references to outputs for runtime expressions using $steps?
    • Current Situation: The ABNF allows any name after $steps., enabling references like $steps.myGreatStep.response.body.foo.
    • Intended restriction: To promote consistency and prevent unintended data access, should the ABNF be modified to restrict references exclusively to outputs (e.g., $steps.myGreatStep.outputs.foo)?
  2. Is the spec example correct?
    • Issue: The example $steps.someStep.pets does not include outputs, which seems inconsistent with the intended pattern. (And it also doesn't include a reference to body, header, etc...)
    • Clarification needed: Should the example be updated to include outputs, making it $steps.someStep.outputs.pets to align with the intended usage?
  3. Implications of not restricting to outputs
    • Potential risks: Allowing flexible references might lead to accessing sensitive or unintended data from other parts of the step’s data structure.
    • Best practices: Is it advisable to enforce a stricter ABNF definition to ensure that all necessary data is funneled through outputs for better control and security?

Supporting info

From the spec:

Step output value $steps.someStep.pets In situations where the output named property return payloads, references may be made to portions of the response body or the entire body.

From an issue comment

what ever you have to back must be returned via the workflow outputs

Comment by: @frankkilcommins

@jeremyfiel
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants