You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Should ABNF restrict references to outputs for runtime expressions using $steps?
Current Situation: The ABNF allows any name after $steps., enabling references like $steps.myGreatStep.response.body.foo.
Intended restriction: To promote consistency and prevent unintended data access, should the ABNF be modified to restrict references exclusively to outputs (e.g., $steps.myGreatStep.outputs.foo)?
Is the spec example correct?
Issue: The example $steps.someStep.pets does not include outputs, which seems inconsistent with the intended pattern. (And it also doesn't include a reference to body, header, etc...)
Clarification needed: Should the example be updated to include outputs, making it $steps.someStep.outputs.pets to align with the intended usage?
Implications of not restricting to outputs
Potential risks: Allowing flexible references might lead to accessing sensitive or unintended data from other parts of the step’s data structure.
Best practices: Is it advisable to enforce a stricter ABNF definition to ensure that all necessary data is funneled through outputs for better control and security?
Supporting info
From the spec:
Step output value
$steps.someStep.pets
In situations where the output named property return payloads, references may be made to portions of the response body or the entire body.
$steps?$steps., enabling references like$steps.myGreatStep.response.body.foo.$steps.myGreatStep.outputs.foo)?$steps.someStep.petsdoes not include outputs, which seems inconsistent with the intended pattern. (And it also doesn't include a reference to body, header, etc...)$steps.someStep.outputs.petsto align with the intended usage?outputsSupporting info
From the spec:
From an issue comment
Comment by: @frankkilcommins
The text was updated successfully, but these errors were encountered: