website: Warn about "tofu output -raw" in a terminal

By design the "-raw" option to "tofu output" writes the literal output value directly to stdout without any quoting or escaping, and so it's risky to use it with an output value that could be controlled by an attacker when stdout is a terminal. This risk is inherent in the purpose of this option and is part of the reason why this is not the default behavior (OpenTofu returns a quoted representation of an output string by default) so here we just make that risk explicit in the documentation, in the hope that operators will use this operation mindfully. Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
2025-12-19 17:59:05 -05:00 · 2025-11-07 09:54:41 -08:00
parent 6dec25c1fb
commit e389a7f2fa
2 changed files with 14 additions and 1 deletions
--- a/website/docs/cli/commands/output.mdx
+++ b/website/docs/cli/commands/output.mdx
@@ -36,7 +36,17 @@ The command-line flags are all optional. The following flags are available:
  it only supports string, number, and boolean values. Use `-json` instead
  for processing complex data types.

-* `-no-color` - If specified, output won't contain any color.
+    :::warning
+    In this mode the result is written to stdout without any quoting or escaping,
+    and so you should avoid using this mode when stdout is a terminal if the
+    output value could potentially be controlled by an attacker: the string
+    could potentially contain control sequences that may cause undesirable
+    terminal behavior.
+    :::
+
+* `-no-color` - If specified, output won't contain any color. This option is
+  ineffective when using `-raw` with an output value that contains inline
+  control sequences itself.

 * `-state=path` - Path to the state file. Defaults to "terraform.tfstate".
  Ignored when [remote state](../../language/state/remote.mdx) is used.