NotAShelf/circus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

various: harden input validation; add SSRF protection; fix default API key role

Browse source 
Default API key role was "admin", which was something that I forgot to fix during testing. We
change it to "read-only". 

Additionally repository URLs now reject `file://` scheme (another testing artifact) localhost,
private IP ranges, and cloud metadata endpoints. Nix expressions reject path traversal (`..`)
and absolute paths. Validation is called at the evaluator endtrypoint before command construction.

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: I35729c6aa9ec4ff8d1ea19bd57ea93646a6a6964
This commit is contained in:
raf 2026-02-15 22:41:59 +03:00
commit aa4ebf2f5b
Signed by: NotAShelf
GPG key ID: 29D95B64378DB4BF
3 changed files with 192 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

4
crates/evaluator/src/nix.rs
View file

@ -114,6 +114,10 @@ pub async fn evaluate(
config: &EvaluatorConfig,
inputs: &[JobsetInput],
) -> Result<EvalResult> {
// Validate nix expression before constructing any commands
fc_common::validate::validate_nix_expression(nix_expression)
.map_err(|e| CiError::NixEval(format!("Invalid nix expression: {e}")))?;
if flake_mode {
evaluate_flake(repo_path, nix_expression, timeout, config, inputs).await
} else {