various: harden input validation; add SSRF protection; fix default API key role

Default API key role was "admin", which was something that I forgot to fix during testing. We change it to "read-only". Additionally repository URLs now reject `file://` scheme (another testing artifact) localhost, private IP ranges, and cloud metadata endpoints. Nix expressions reject path traversal (`..`) and absolute paths. Validation is called at the evaluator endtrypoint before command construction. Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I35729c6aa9ec4ff8d1ea19bd57ea93646a6a6964
2026-02-15 22:41:59 +03:00 · 2026-02-15 22:41:59 +03:00 · aa4ebf2f5b
commit aa4ebf2f5b
parent a2b638d4db
3 changed files with 192 additions and 12 deletions
--- a/crates/common/src/config.rs
+++ b/crates/common/src/config.rs
@ -402,7 +402,7 @@ const fn default_scheduling_shares() -> i32 {
 }

 fn default_role() -> String {
-  "admin".to_string()
+  "read-only".to_string()
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
@ -764,6 +764,17 @@ mod tests {
    assert!(parsed.declarative.projects.is_empty());
  }

+  #[test]
+  fn test_declarative_api_key_default_role_is_read_only() {
+    let toml_str = r#"
+            [[api_keys]]
+            name = "default-key"
+            key = "fc_test_123"
+        "#;
+    let config: DeclarativeConfig = toml::from_str(toml_str).unwrap();
+    assert_eq!(config.api_keys[0].role, "read-only");
+  }
+
  #[test]
  fn test_environment_override() {
    // Test environment variable parsing directly