Mashin is an extensible rust-powered Infrastructure as Code (IaC) platform with a Javascript runtime, simplifying cloud resource management through a seamless combination of custom providers and expressive scripting.
We need to do some research and POC on whats the best solution to limit the cdylib
The engine restricts access to all external resources, such as environment variables and the file system. To grant access to a specific resource, users must explicitly allow it using command-line flags.
Request
For example, to access an environment variable, the user must use the --allow-env=VARIABLE_NAME flag:
mashin run --allow-env=AWS_API_KEY https://mashin.land/test/create_namespace.ts
Similarly, to access the file system, users must use the --allow-read and --allow-write flags, specifying the paths they want to grant read or write access to:
mashin run --allow-read=/path/to/config --allow-write=/path/to/output https://mashin.land/test/create_namespace.ts
This permission system significantly reduces the risk of data leakage and ensures that the execution environment remains secure and controlled.
Is there an existing issue?
Motivation
We need to do some research and POC on whats the best solution to limit the cdylib
The engine restricts access to all external resources, such as environment variables and the file system. To grant access to a specific resource, users must explicitly allow it using command-line flags.
Request
For example, to access an environment variable, the user must use the
--allow-env=VARIABLE_NAMEflag:Similarly, to access the file system, users must use the
--allow-readand--allow-writeflags, specifying the paths they want to grant read or write access to:This permission system significantly reduces the risk of data leakage and ensures that the execution environment remains secure and controlled.
Solution
No response
Are you willing to help with this request?
Yes!