Sandboxing JK - Githubissues

jkcfg / jk

Configuration as Code with ECMAScript

https://jkcfg.github.io

Apache License 2.0

404 stars 30 forks source link

Sandboxing JK #344

Closed alexec closed 4 years ago

alexec commented 4 years ago

Is it possible to run JK in a sandbox mode. E.g. with no ability to write to the FS?

alexec commented 4 years ago

You can write outside your own tree:

$ cat main.js 

const alice = {
  name: 'Alice',
  beverage: 'Club-Mate',
  monitors: 2,
  languages: [
    'python',
    'haskell',
    'c++',
    '68k assembly', // Alice is cool like that!
  ],
};

// Instruct to write the alice object as a YAML file.
export default [
  { value: alice, file: `../developers/${alice.name.toLowerCase()}.yaml` },
./jk generate main.js
# could be /etc/passwd!
 ls ../developers

alexec commented 4 years ago

See #159

squaremo commented 4 years ago

Ulp yes, I noticed that reads are sandboxed but writes not yet, the other day while doing something tangential. They should get the same treatment (you can write under the output directory, but not outside it). I've filed #345 for this.

Re disallowing writes at all, what's the use case you have in mind, @alexec?

alexec commented 4 years ago

I think sandboxing to the root would meet safety requirements.