rules_esbuild icon indicating copy to clipboard operation
rules_esbuild copied to clipboard

Published 20 hours ago verified publisher icon aspect-build

Throw an error when esbuild loads a file outside the bazel sandbox.

Open gonzojive opened this issue 2 years ago • 3 comments

This implementation uses an OnLoad plugin to catch when a file is loaded that is not in an allowlist of files. The allowlist is all the files within the BAZEL_BINDIR and all of the symlink targets of those files.

This may not prevent all sandbox escaping modes. The esbuild Go code may still access unsandboxed files in the course of loading files that are in the sanbox.

Addresses https://github.com/aspect-build/rules_esbuild/issues/58 and requires https://github.com/aspect-build/rules_js/pull/793 to work properly.

This PR is based on https://github.com/aspect-build/rules_esbuild/pull/32, but I lost the attribution in the commit log.

gonzojive avatar Jan 15 '23 19:01 gonzojive

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jan 15 '23 19:01 CLAassistant

@gregmagolan what are the next steps with this one?

alexeagle avatar Jul 14 '23 21:07 alexeagle

ping?

gonzojive avatar Aug 17 '23 05:08 gonzojive