Validate desk names from Clay effects

urbit / vere

An implementation of the Urbit runtime

MIT License

54 stars 35 forks source link

Validate desk names from Clay effects #610

Open tiller-tolbus opened 5 months ago

tiller-tolbus commented 5 months ago

Per convo with @joemfb, unix.c is not guaranteed to prevent disastrous outcomes from malformed %ergo effects coming from Clay, such as attempts to write to .urb or .run.

Desired case is that there is, at least, a hard-coded and unified list of paths that Vere will not write to as the result of a Clay effect.

Such a unified list of paths should also include a .host directory so that providers have a safe place to put pier-specific files that won't be touched by the runtime.

joemfb commented 5 months ago

Rather than an explicit whitelist, ensuring that clay mountpoint names (ie, desks) conform to (sane %tas) is probably the simplest way to accomplish this. That would need to be done in each of the desk-relevant effect handlers in unix.c: u3_unix_ef_ergo(), u3_unix_ef_ogre(), u3_unix_ef_*() ...