alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(volume-browser): absolute scope with allowlist security

Browse Source 
- Add 'absolute' volume scope for direct host paths (NFS, external mounts)
- Allowlist in settings: allowed_volume_paths (JSON array of prefixes)
- Validation: absolute source must be under an allowed prefix
- Empty allowlist = absolute scope disabled entirely
- Settings API exposes/validates allowed_volume_paths
- Frontend type updated with absolute scope
This commit is contained in:
Admin
2026-04-01 23:31:27 +03:00
parent 0491849f0f
commit 582e7e39e3
8 changed files with 165 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/volume_browser.go
+5 -4
View File
@@ -74,10 +74,11 @@ func (s *Server) resolveVolumeRoot(w http.ResponseWriter, r *http.Request) (stri
q := r.URL.Query()
params := volume.ResolveParams{
BasePath: settings.BaseVolumePath,
ProjectName: proj.Name,
StageName: q.Get("stage"),
ImageTag: q.Get("tag"),
BasePath: settings.BaseVolumePath,
ProjectName: proj.Name,
StageName: q.Get("stage"),
ImageTag: q.Get("tag"),
AllowedVolumePaths: settings.AllowedVolumePaths,
}
rootPath, err := volume.ResolvePath(vol, params)