You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: tighten securityPolicy section and note CWD path resolution
Trim the restricted-execution prose and add a note that DuckDB
resolves relative paths against the host process CWD, not Malloy's
workingDirectory, when sandboxed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: src/documentation/setup/config.malloynb
+6-8Lines changed: 6 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -85,17 +85,15 @@ malloy-config-local.json
85
85
86
86
#### Restricted execution
87
87
88
-
For untrusted code, Malloy offers a single `securityPolicy` property with three levels:
88
+
`securityPolicy` has three levels:
89
89
90
-
- `"none"` — no security policy applied. Ordinary DuckDB behavior. This is the default.
91
-
- `"local"` — no network access. DuckDB cannot reach the network, but local filesystem access is not sandboxed to specific directories. Appropriate when the host already provides filesystem isolation (e.g. a container boundary).
92
-
- `"sandboxed"` — no network access AND filesystem confined to `allowedDirectories` (defaults to `workingDirectory`). The reviewed strict recipe for untrusted Malloy. POSIX only.
90
+
- `"none"` — default. Ordinary DuckDB behavior.
91
+
- `"local"` — disables network access.
92
+
- `"sandboxed"` — `"local"` plus a DuckDB directory allowlist (`allowedDirectories`, defaulting to `workingDirectory`). POSIX only.
93
93
94
94
Both `"local"` and `"sandboxed"` force `enableExternalAccess=false`, block `httpfs` and `INSTALL`, reject remote `databasePath` and `motherDuckToken`, lock configuration, and encrypt temp files. `"sandboxed"` additionally enforces directory containment and derives a safe `tempDirectory` inside the sandbox.
95
95
96
-
DuckDB's `enable_external_access` is a single toggle that gates both filesystem reach and network reach. `allowed_directories` only takes effect when external access is disabled. This is why `securityPolicy` is a single axis — the underlying DuckDB mechanism does not support independent filesystem and network control.
97
-
98
-
The reviewed strict recipe:
96
+
Under `"sandboxed"`, DuckDB resolves relative file paths against the host process working directory (`getcwd()`), not against Malloy's `workingDirectory`. Relative-path reads only succeed when the process CWD is inside an allowed directory.
99
97
100
98
```json
101
99
{
@@ -110,7 +108,7 @@ The reviewed strict recipe:
110
108
}
111
109
```
112
110
113
-
Policies set a floor, not a ceiling. `allowedDirectories` and `tempDirectory` can be set explicitly to customize the sandbox. Other policy-controlled settings accept matching values but reject weaker ones — connection creation fails closed. `setupSQL`, `additionalExtensions`, `motherDuckToken`, and remote `databasePath` are incompatible with any restricted policy; to use them, keep `securityPolicy` at `"none"` and configure DuckDB directly. Policies do not set resource limits — configure `threads`, `memoryLimit`, timeouts, and host quotas separately.
111
+
Policies set a floor, not a ceiling. `allowedDirectories` and `tempDirectory` can be set explicitly. Other policy-controlled settings accept matching values but reject weaker ones — connection creation fails closed. `setupSQL`, `additionalExtensions`, `motherDuckToken`, and remote `databasePath` are incompatible with any restricted policy. Policies do not set resource limits — configure `threads`, `memoryLimit`, and timeouts separately.
0 commit comments