search

wasmCloud / wasmcloud-otp

wasmCloud host runtime that leverages Elixir/OTP and Rust to provide simple, secure, distributed application development using the actor model
Apache License 2.0
228 stars 48 forks source link

Only upload resources with embedded claims #38

Closed brooksmtownsend closed 3 years ago

brooksmtownsend commented 3 years ago

Related to #3, supporting OCI artifacts should also only allow resources with embedded claims

Currently, we allow consumers of the web UI to upload signed wasm files to launch as actors (good) and executables to run as a child process as providers (bad). There are numerous security implications with running an unverified executable, and we should mitigate the majority of those by only allowing providers in a provider-archive or similar format so we can validate claims before starting the executable.

brooksmtownsend commented 3 years ago

Closing in favor of https://github.com/wasmCloud/wasmcloud-otp/issues/149