Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set fs._unpatched when patching the 'node:fs' module #793

Merged
merged 1 commit into from
Jan 24, 2023
Merged

Set fs._unpatched when patching the 'node:fs' module #793

merged 1 commit into from
Jan 24, 2023

Conversation

gonzojive
Copy link
Contributor

This allows inspecting the unsandboxed view of the file system if it's needed, such as for writing other sandbox guarding logic.

@gonzojive
When patching the 'fs' library, set fs._unpatched to the original fs …
fc9bd0c 
…library.

This allows inspecing the unsanboxed view of the file system if it's needed.
@CLAassistant
Copy link

CLAassistant commented Jan 15, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

gonzojive added a commit to gonzojive/rules_esbuild that referenced this pull request Jan 15, 2023
@gonzojive
Throw an error when esbuild loads a file outside the bazel sandbox.
9d80130 
This implementation uses an OnLoad plugin to catch when a file is loaded that is
not in an allowlist of files. The allowlist is all the files within the
BAZEL_BINDIR and all of the symlink targets of those files.

This may not prevent all sandbox escaping modes. The esbuild Go code may still
access unsandboxed files in the course of loading files that are in the sanbox.

Addresses aspect-build#58 and requires
aspect-build/rules_js#793 to work properly.
@gonzojive gonzojive mentioned this pull request Jan 15, 2023
Open
gonzojive added a commit to gonzojive/rules_esbuild that referenced this pull request Jan 15, 2023
@gonzojive
Throw an error when esbuild loads a file outside the bazel sandbox.
9c2159e 
This implementation uses an OnLoad plugin to catch when a file is loaded that is
not in an allowlist of files. The allowlist is all the files within the
BAZEL_BINDIR and all of the symlink targets of those files.

This may not prevent all sandbox escaping modes. The esbuild Go code may still
access unsandboxed files in the course of loading files that are in the sanbox.

Addresses aspect-build#58 and requires
aspect-build/rules_js#793 to work properly.
gonzojive added a commit to gonzojive/rules_esbuild that referenced this pull request Jan 15, 2023
@gonzojive
Throw an error when esbuild loads a file outside the bazel sandbox.
30b2785 
This implementation uses an OnLoad plugin to catch when a file is loaded that is
not in an allowlist of files. The allowlist is all the files within the
BAZEL_BINDIR and all of the symlink targets of those files.

This may not prevent all sandbox escaping modes. The esbuild Go code may still
access unsandboxed files in the course of loading files that are in the sanbox.

Addresses aspect-build#58 and requires
aspect-build/rules_js#793 to work properly.
gregmagolan
gregmagolan approved these changes Jan 24, 2023
View reviewed changes
Copy link
Member

@gregmagolan gregmagolan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the PR

@gregmagolan gregmagolan merged commit cefe139 into aspect-build:main Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregmagolan gregmagolan gregmagolan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gonzojive @CLAassistant @gregmagolan