Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notebook validation and security concerns #39

Open
Carreau opened this issue Jun 8, 2022 · 0 comments
Open

Notebook validation and security concerns #39

Carreau opened this issue Jun 8, 2022 · 0 comments

Comments

@Carreau
Copy link
Member

Carreau commented Jun 8, 2022

So I'm moving a generic bug issue across the Jupyter projects to the security workgroup.
It's not yet a security issue, but the practices are recent modification are raising concern.

Quick summary:

  • There was a few bug report of "trusted" notebook that would not be trusted upon reopen.
  • I tracked part of that down to notebook notary/nbformat API.
  • The sequence of event is compute-notebook-signature, validate-and-save (no errors), load-notebook but signature does not match.
  • The problem being that the "validate" step, try to helpfully fix any inconsistency AND mutate it's input arguments.

Once validate started to do some mutation and fixing, it has proliferated, and what used to be a check is now not only not a check anymore, but creates unintended side-effect in notebook models.

SO I would appreciate help in pushing for a new cleaner API in nbformat, making sure validate(), does not mutate anything introducing likely an explicit normalized() (returning a copy), utilities, and updating downstream projects.

See jupyter/nbformat#282

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant