alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(volume-browser): absolute scope with allowlist security

Browse Source 
- Add 'absolute' volume scope for direct host paths (NFS, external mounts)
- Allowlist in settings: allowed_volume_paths (JSON array of prefixes)
- Validation: absolute source must be under an allowed prefix
- Empty allowlist = absolute scope disabled entirely
- Settings API exposes/validates allowed_volume_paths
- Frontend type updated with absolute scope
This commit is contained in:
Admin
2026-04-01 23:31:27 +03:00
parent 0491849f0f
commit 582e7e39e3
8 changed files with 165 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/store/models.go
+3
View File
@@ -57,6 +57,7 @@ type Settings struct {
BaseVolumePath string `json:"base_volume_path"`
SSLCertificateID int `json:"ssl_certificate_id"`
StaleThresholdDays int `json:"stale_threshold_days"`
AllowedVolumePaths string `json:"allowed_volume_paths"` // JSON array of allowed absolute paths
UpdatedAt string `json:"updated_at"`
}
@@ -120,12 +121,14 @@ const (
VolumeScopeProjectNamed VolumeScope = "project_named"
VolumeScopeNamed VolumeScope = "named"
VolumeScopeEphemeral VolumeScope = "ephemeral"
VolumeScopeAbsolute VolumeScope = "absolute"
)
// ValidVolumeScopes contains all valid scope values for validation.
var ValidVolumeScopes = []VolumeScope{
VolumeScopeInstance, VolumeScopeStage, VolumeScopeProject,
VolumeScopeProjectNamed, VolumeScopeNamed, VolumeScopeEphemeral,
VolumeScopeAbsolute,
}
// IsValidVolumeScope returns true if the given string is a valid scope.