The overall problem is caused by the format method which internally does eval... I'm unsure if we can restrict the behavior in format or replace it without breaking the existing usage such as "{0}_{1}" or "{foo}_{bar}".
As a safe guard we can introduce an option to disable the format function completely. However it may affect any deployment, where a user is using the format yaql function with valid "safe" usage.
The overall problem is caused by the format method which internally does eval... I'm unsure if we can restrict the behavior in format or replace it without breaking the existing usage such as "{0}_{1}" or "{foo}_{bar}".
As a safe guard we can introduce an option to disable the format function completely. However it may affect any deployment, where a user is using the format yaql function with valid "safe" usage.
https:/ /github. com/openstack/ yaql/blob/ 0d63eb1346c829c 0ce818dd2e00590 af6330a0f3/ yaql/standard_ library/ strings. py#L567- L596