Problem statement
The safe Sprig function allowlist in templating/funcs.go includes filesystem path helpers: osBase, osClean, osDir, osExt, osIsAbs. These functions operate on string arguments (not the filesystem), but they could leak host path structure information if a template author passes server-side values through them.
Additionally, there is no test that fails when Sprig adds new functions in future versions, meaning new potentially dangerous functions could silently become available.
Proposed change
-
Evaluate whether osBase, osClean, osDir, osExt, osIsAbs belong in the safe list. They operate on strings only (no filesystem access), but they reveal OS-specific path semantics. Decide and document the reasoning either way.
-
Add a comprehensive Sprig function audit test that fails if unreviewed functions appear:
func TestAllSprigFunctionsExplicitlyReviewed(t *testing.T) {
all := sprig.TxtFuncMap()
for name := range all {
if !isInSafeList(name) && !isInDenyList(name) {
t.Errorf("unreviewed Sprig function: %s — add to safe or deny list", name)
}
}
}
This ensures any Sprig version bump forces an explicit review of new functions.
Affected area
Compatibility / migration
If any os* functions are removed from the safe list, templates using them would fail validation. This would be a minor breaking change requiring a changelog note.
Alternatives considered
- Keeping all os* functions — they are string-only and don't touch the filesystem. The risk is information leakage, not code execution.
Additional context
The existing denylist test in funcs_test.go checks env, expandenv, repeat, seq, until, untilStep, getHostByName. This issue proposes making that test exhaustive. Identified during security review.
Problem statement
The safe Sprig function allowlist in
templating/funcs.goincludes filesystem path helpers:osBase,osClean,osDir,osExt,osIsAbs. These functions operate on string arguments (not the filesystem), but they could leak host path structure information if a template author passes server-side values through them.Additionally, there is no test that fails when Sprig adds new functions in future versions, meaning new potentially dangerous functions could silently become available.
Proposed change
Evaluate whether
osBase,osClean,osDir,osExt,osIsAbsbelong in the safe list. They operate on strings only (no filesystem access), but they reveal OS-specific path semantics. Decide and document the reasoning either way.Add a comprehensive Sprig function audit test that fails if unreviewed functions appear:
This ensures any Sprig version bump forces an explicit review of new functions.
Affected area
templatingCompatibility / migration
If any os* functions are removed from the safe list, templates using them would fail validation. This would be a minor breaking change requiring a changelog note.
Alternatives considered
Additional context
The existing denylist test in
funcs_test.gochecksenv,expandenv,repeat,seq,until,untilStep,getHostByName. This issue proposes making that test exhaustive. Identified during security review.