Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Throw an error when esbuild loads a file outside the bazel sandbox. #112

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

gonzojive
Copy link

@gonzojive gonzojive commented Jan 15, 2023

This implementation uses an OnLoad plugin to catch when a file is loaded that is not in an allowlist of files. The allowlist is all the files within the BAZEL_BINDIR and all of the symlink targets of those files.

This may not prevent all sandbox escaping modes. The esbuild Go code may still access unsandboxed files in the course of loading files that are in the sanbox.

Addresses #58 and requires aspect-build/rules_js#793 to work properly.


This PR is based on #32, but I lost the attribution in the commit log.

@CLAassistant
Copy link

CLAassistant commented Jan 15, 2023

CLA assistant check
All committers have signed the CLA.

@gonzojive gonzojive force-pushed the sandbox-escape-error-clean branch from 9d80130 to 9c2159e Compare January 15, 2023 19:57
This implementation uses an OnLoad plugin to catch when a file is loaded that is
not in an allowlist of files. The allowlist is all the files within the
BAZEL_BINDIR and all of the symlink targets of those files.

This may not prevent all sandbox escaping modes. The esbuild Go code may still
access unsandboxed files in the course of loading files that are in the sanbox.

Addresses aspect-build#58 and requires
aspect-build/rules_js#793 to work properly.
@alexeagle
Copy link
Member

@gregmagolan what are the next steps with this one?

@gonzojive
Copy link
Author

ping?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request in review
Projects
Status: 👀 In review
Development

Successfully merging this pull request may close these issues.

4 participants