search

nodejs / uvwasi

WASI syscall API built atop libuv
MIT License
225 stars 49 forks source link

question: sandbox for following symlinks #226

Open shqld opened 1 year ago

shqld commented 1 year ago

It looks there is differences about handling symlinks between uvwasi and wasmtime.

Assuming #224 was merged and given the file path is /var/dir/file and sandbox root is /var/dir:

Link Target \ Runtime wasmtime uvwasi (memo)
/var/dir/file NG OK wasmtime prohibits absolute paths without exception
./file OK OK
../file NG NG not in the sandbox root
../dir/file NG OK wasmtime prohibits relative paths referencing a path that once deviates from the root of the sandbox

I'd like to know whether this is expected behavior for uvwasi.

mhdawson commented 1 year ago

To confirm so you are aware your earlier PR and related questions from others have kicked off discussion on the topic and related issues which may take us a bit of time to get through.

shqld commented 1 year ago

Understood, thank you so much.