fix: Don't apply saferEval default length cap to workflow substitution#8635
Open
ryuwd wants to merge 1 commit into
Open
fix: Don't apply saferEval default length cap to workflow substitution#8635ryuwd wants to merge 1 commit into
ryuwd wants to merge 1 commit into
Conversation
Commit bf6858d replaced eval() with saferEval() in Workflow/Utility.substitute to avoid evaluating arbitrary code. saferEval enforces a 2048-byte cap, but non-string workflow parameters (lists/dicts) are KB-scale and routinely exceed it, so substituting variables into a large parameter failed with "Object string is too long (>2048 bytes)". Pass a generous finite cap (1 MiB) at this call site instead of the 2048 default, matching the fix in WorkflowReader. literal_eval still prevents code execution regardless of content; the ceiling remains as defence-in-depth against pathological/malicious input. SaferEval's default is unchanged for its other callers.
This was referenced Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Missed a call site, there are probably other ones in the Transformation System that need to be checked. This matches the fix in WorkflowReader.
BEGINRELEASENOTES
*Workflow
FIX: Don't apply saferEval default length cap to workflow substitution
ENDRELEASENOTES