Mirrors/wrkflw
1
0
Fork 0
mirror of https://github.com/bahdotsh/wrkflw.git synced 2026-02-24 03:49:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
fix/remote-workflow-tempdir-lifecycle
wrkflw/tests/security_demo.yml
bahdotsh 460357d9fe feat: Add comprehensive sandboxing for secure emulation mode 
Security Features:
- Implement secure emulation runtime with command sandboxing
- Add command validation, filtering, and dangerous pattern detection
- Block harmful commands like 'rm -rf /', 'sudo', 'dd', etc.
- Add resource limits (CPU, memory, execution time, process count)
- Implement filesystem isolation and access controls
- Add environment variable sanitization
- Support shell operators (&&, ||, |, ;) with proper parsing

New Runtime Mode:
- Add 'secure-emulation' runtime option to CLI
- Update UI to support new runtime mode with green security indicator
- Mark legacy 'emulation' mode as unsafe in help text
- Default to secure mode for local development safety

Documentation:
- Create comprehensive security documentation (README_SECURITY.md)
- Update main README with security mode information
- Add example workflows demonstrating safe vs dangerous commands
- Include migration guide and best practices

Testing:
- Add comprehensive test suite for sandbox functionality
- Include security demo workflows for testing
- Test dangerous command blocking and safe command execution
- Verify resource limits and timeout functionality

Code Quality:
- Fix all clippy warnings with proper struct initialization
- Add proper error handling and user-friendly security messages
- Implement comprehensive logging for security events
- Follow Rust best practices throughout

This addresses security concerns by preventing accidental harmful
commands while maintaining full compatibility with legitimate CI/CD
workflows. Users can now safely run untrusted workflows locally
without risk to their host system.
2025-08-13 14:30:51 +05:30

93 lines
2.5 KiB
YAML
Raw Permalink Blame History

name: Security Demo Workflow
on:
push:
workflow_dispatch:
jobs:
safe_commands:
name: Safe Commands (Will Pass)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: List project files
run: ls -la
- name: Show current directory
run: pwd
- name: Echo a message
run: echo "This command is safe and will execute successfully"
- name: Check Rust version (if available)
run: rustc --version || echo "Rust not installed"
- name: Build documentation
run: echo "Building docs..." && mkdir -p target/doc
- name: Show environment
run: env | grep GITHUB
dangerous_commands:
name: Dangerous Commands (Will Be Blocked)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
# These commands will be blocked in secure emulation mode
- name: Dangerous file deletion
run: rm -rf /tmp/* # This will be BLOCKED
continue-on-error: true
- name: System modification attempt
run: sudo apt-get update # This will be BLOCKED
continue-on-error: true
- name: Network download attempt
run: wget https://example.com/script.sh # This will be BLOCKED
continue-on-error: true
- name: Process manipulation
run: kill -9 $$ # This will be BLOCKED
continue-on-error: true
resource_intensive:
name: Resource Limits Test
runs-on: ubuntu-latest
steps:
- name: CPU intensive task
run: |
echo "Testing resource limits..."
# This might hit CPU or time limits
for i in {1..1000}; do
echo "Iteration $i"
sleep 0.1
done
continue-on-error: true
filesystem_test:
name: Filesystem Access Test
runs-on: ubuntu-latest
steps:
- name: Create files in allowed location
run: |
mkdir -p ./test-output
echo "test content" > ./test-output/safe-file.txt
cat ./test-output/safe-file.txt
- name: Attempt to access system files
run: cat /etc/passwd # This may be blocked
continue-on-error: true
- name: Show allowed file operations
run: |
echo "Safe file operations:"
touch ./temp-file.txt
echo "content" > ./temp-file.txt
cat ./temp-file.txt
rm ./temp-file.txt
echo "File operations completed safely"
Reference in New Issue View Git Blame Copy Permalink