Copied the schema definition for description and icon from the parameter schema (see https://github.com/coder/terraform-provider-coder/blob/main/provider/parameter.go#L184). Neither field currently has a size limit, but it might be good to add one to ensure the UI isn’t broken by overly large descriptions. Wdyt?

There is also a security consideration: we don’t seem to perform proper escaping or sanitization, which means it could be possible to inject HTML or JavaScript via the description. For the icon, since it’s used to fetch local files, we should be careful to prevent directory traversal attacks or other malicious paths.

Given that Coder typically runs on-premises, these risks might be lower, but it could still be a good practice to address them. Do we currently have any mechanisms in place to handle these concerns?

Neither field currently has a size limit

Do you mean in the provider, or in the database?

For the icon, since it’s used to fetch local files

What do you mean by 'local' here? The icon is used by the UI, and the icons are generally hosted on the control plane, although I've seen people link to icons on other domains.

There is also a security consideration: we don’t seem to perform proper escaping or sanitization

Where specifically have you checked?

Do we currently have any mechanisms in place to handle these concerns?

Template admins have a good bit of power in a Coder deployment, so there is some element of trust related to allowing users to create templates.

Do you mean in the provider, or in the database?

In both:

• provider:

  terraform-provider-coder/provider/parameter.go

  Lines 185 to 189 in d5496af

  	"description": {
  	Type: schema.TypeString,
  	Optional: true,
  	Description: "Describe what this parameter does.",
  	},

• database: https://github.com/coder/coder/blob/62dc8310d12fee1c4dab974b798cbcd3c9f0bfaf/coderd/database/dump.sql#L1545-L1549

I think it would make sense to add reasonable size limits to both description and icon, similar to what we do for templates table:

• description (128): https://github.com/coder/coder/blob/main/coderd/database/dump.sql#L1727
• icon (256): https://github.com/coder/coder/blob/dd2fb896eb90406c606f21e09cdd7680821542e7/coderd/database/dump.sql#L1730

Wdyt?

What do you mean by 'local' here? The icon is used by the UI, and the icons are generally hosted on the control plane, although I've seen people link to icons on other domains.

By "local" I meant relative paths like /icon/region.svg. Given that, someone could technically enter a path like ../../etc/passwd or something similar.

Where specifically have you checked?

I tested the integration between the Terraform provider and Coder. I inserted a description with inline JavaScript and confirmed it was passed through and stored in the database. However, from my quick test, the UI seems to display the content as plain text and doesn’t interpret or render it as raw HTML, so that is good. I didn't test the icon path.

Template admins have a good bit of power in a Coder deployment, so there is some element of trust related to allowing users to create templates.

Totally agree. Given Coder is self-hosted and template creation is an admin-level task, I don't think this is a critical issue, more of an observation from working on this PR.

I think it would make sense to add reasonable size limits to both description and icon, similar to what we do for templates table

I think that's reasonable!

By "local" I meant relative paths like /icon/region.svg. Given that, someone could technically enter a path like ../../etc/passwd or something similar.

Right, but I don't think we would expose that in our static file server though. Might be no harm to sanitize the path though, good callout!

nit: should we use rather realistic values?

I followed the naming convention used by the other parameters, as they follow a similar logic. Since this is an integration test, I don’t think adding realistic values here is necessary.