Mirrors/wrkflw
1
0
Fork 0
mirror of https://github.com/bahdotsh/wrkflw.git synced 2025-12-18 20:49:28 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
fix/php-workflow-issues
wrkflw/tests/safe_workflow.yml
bahdotsh 460357d9fe feat: Add comprehensive sandboxing for secure emulation mode 
Security Features:
- Implement secure emulation runtime with command sandboxing
- Add command validation, filtering, and dangerous pattern detection
- Block harmful commands like 'rm -rf /', 'sudo', 'dd', etc.
- Add resource limits (CPU, memory, execution time, process count)
- Implement filesystem isolation and access controls
- Add environment variable sanitization
- Support shell operators (&&, ||, |, ;) with proper parsing

New Runtime Mode:
- Add 'secure-emulation' runtime option to CLI
- Update UI to support new runtime mode with green security indicator
- Mark legacy 'emulation' mode as unsafe in help text
- Default to secure mode for local development safety

Documentation:
- Create comprehensive security documentation (README_SECURITY.md)
- Update main README with security mode information
- Add example workflows demonstrating safe vs dangerous commands
- Include migration guide and best practices

Testing:
- Add comprehensive test suite for sandbox functionality
- Include security demo workflows for testing
- Test dangerous command blocking and safe command execution
- Verify resource limits and timeout functionality

Code Quality:
- Fix all clippy warnings with proper struct initialization
- Add proper error handling and user-friendly security messages
- Implement comprehensive logging for security events
- Follow Rust best practices throughout

This addresses security concerns by preventing accidental harmful
commands while maintaining full compatibility with legitimate CI/CD
workflows. Users can now safely run untrusted workflows locally
without risk to their host system.
2025-08-13 14:30:51 +05:30

36 lines
816 B
YAML
Raw Permalink Blame History

name: Safe Workflow Test
on:
push:
workflow_dispatch:
jobs:
safe_operations:
name: Safe Operations
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: List files
run: ls -la
- name: Show current directory
run: pwd
- name: Echo message
run: echo "Hello, this is a safe command!"
- name: Create and read file
run: |
echo "test content" > safe-file.txt
cat safe-file.txt
rm safe-file.txt
- name: Show environment (safe)
run: echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
- name: Check if Rust is available
run: which rustc && rustc --version || echo "Rust not found"
continue-on-error: true
Reference in New Issue View Git Blame Copy Permalink