So I checked the example murano resources and it seems we can reproduce a similar behavior in heat. (example template and the resource show result are being attached).
One key difference is that in heat we explicitly pass a dictionary value[1], which makes yaql create a new frozendict instance[2]. So __globals__ does not get access to code in heat, but only instances available in [2] which do not contain severely sensitive information such as CONF.
However it still leaks a few system information like python versions or python path. What we can probably attempt here is to update yaql to reject a specific pattern like '{\s+.__\s+__\s+}' to avoid access to built-in functions. It should not break any existing valid usage in heat, at least.
So I checked the example murano resources and it seems we can reproduce a similar behavior in heat. (example template and the resource show result are being attached).
One key difference is that in heat we explicitly pass a dictionary value[1], which makes yaql create a new frozendict instance[2]. So __globals__ does not get access to code in heat, but only instances available in [2] which do not contain severely sensitive information such as CONF.
[1] https:/ /github. com/openstack/ heat/blob/ 9da45ab44bb985c 633d246ba9132f1 ccc5831cfd/ heat/engine/ hot/functions. py#L1238 /github. com/openstack/ yaql/blob/ 0d63eb1346c829c 0ce818dd2e00590 af6330a0f3/ yaql/language/ utils.py# L75-L76
[2] https:/
However it still leaks a few system information like python versions or python path. What we can probably attempt here is to update yaql to reject a specific pattern like '{\s+.__\s+__\s+}' to avoid access to built-in functions. It should not break any existing valid usage in heat, at least.