Should Liquid scripting support be removed from custom dashboards?
Summary
Should we remove support for Liquid in custom dashboards in 13.0? The
There is a separate issue for discussing which syntax (%{}
or {{}}
or both) we should continue supporting, since the Liquid syntax can be supported even if we remove the Liquid gem.
More details
We support variable substitution in the Prometheus proxy API, so that users can use variables like ci_environment_slug
in Prometheus queries in custom dashboards and custom metrics. The syntax is %{ci_environment_slug}
and the actual substitution is performed using the Ruby %
operator in the backend.
In !19994 (comment 245546814), @tkuah pointed out a potential security/performance issue with using the Ruby %
operator. Due to that, we introduced the Liquid gem in 12.7 which uses the {{ci_environment_slug}}
syntax for variable substitution. We deprecated the %{}
syntax in 12.7 and planned to remove support in 13.0.
However, as recommended by @joernchen in https://gitlab.com/gitlab-org/gitlab/-/issues/207349#note_292306557, if we do not need Liquid's scripting capabilities and only want to use it for variable substitution, it might be better to remove the Liquid gem since it adds complexity and potential security issues. Variable substitution can be performed using simpler methods (like gsub
).
Note that we have not added documentation encouraging users to use the other capabilities of Liquid.
We can remove support for Liquid in 13.0 since it's a major version. Note that we can remove Liquid support only in a major version, but we can add support in any version.
Capabilities of Liquid
Some of the capabilities of Liquid (other than variable substitution):