Impact
We added the plugin_only mode from PR 180.
This mode was intended for users only want to call the plugins without generating any code.
However, a malicious user is able to violate the plugin_only mode using injection attacks.
This issue affects all versions of TaskWeaver before the PR 250 if the plugin_only mode is enabled. This issue will not have any effect if the user is not enabling the plugin_only mode.
We recommend all users to upgrade to the latest version of TaskWeaver to avoid this issue.
Patches
This issue is addressed in PR 250.
Impact
We added the
plugin_onlymode from PR 180.This mode was intended for users only want to call the plugins without generating any code.
However, a malicious user is able to violate the
plugin_onlymode using injection attacks.This issue affects all versions of TaskWeaver before the PR 250 if the
plugin_onlymode is enabled. This issue will not have any effect if the user is not enabling theplugin_onlymode.We recommend all users to upgrade to the latest version of TaskWeaver to avoid this issue.
Patches
This issue is addressed in PR 250.