You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: tighten securityPolicy section and note CWD path resolution (#308)
Trim the restricted-execution prose and add a note that DuckDB
resolves relative paths against the host process CWD, not Malloy's
workingDirectory, when sandboxed.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: src/documentation/setup/config.malloynb
+6-8Lines changed: 6 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -86,17 +86,15 @@ malloy-config-local.json
86
86
87
87
#### Restricted execution
88
88
89
-
For untrusted code, Malloy offers a single `securityPolicy` property with three levels:
89
+
`securityPolicy` has three levels:
90
90
91
-
- `"none"` — no security policy applied. Ordinary DuckDB behavior. This is the default.
92
-
- `"local"` — no network access. DuckDB cannot reach the network, but local filesystem access is not sandboxed to specific directories. Appropriate when the host already provides filesystem isolation (e.g. a container boundary).
93
-
- `"sandboxed"` — no network access AND filesystem confined to `allowedDirectories` (defaults to `workingDirectory`). The reviewed strict recipe for untrusted Malloy. POSIX only.
91
+
- `"none"` — default. Ordinary DuckDB behavior.
92
+
- `"local"` — disables network access.
93
+
- `"sandboxed"` — `"local"` plus a DuckDB directory allowlist (`allowedDirectories`, defaulting to `workingDirectory`). POSIX only.
94
94
95
95
Both `"local"` and `"sandboxed"` force `enableExternalAccess=false`, block `httpfs` and `INSTALL`, reject remote `databasePath` and `motherDuckToken`, lock configuration, and encrypt temp files. `"sandboxed"` additionally enforces directory containment and derives a safe `tempDirectory` inside the sandbox.
96
96
97
-
DuckDB's `enable_external_access` is a single toggle that gates both filesystem reach and network reach. `allowed_directories` only takes effect when external access is disabled. This is why `securityPolicy` is a single axis — the underlying DuckDB mechanism does not support independent filesystem and network control.
98
-
99
-
The reviewed strict recipe:
97
+
Under `"sandboxed"`, DuckDB resolves relative file paths against the host process working directory (`getcwd()`), not against Malloy's `workingDirectory`. Relative-path reads only succeed when the process CWD is inside an allowed directory.
100
98
101
99
```json
102
100
{
@@ -111,7 +109,7 @@ The reviewed strict recipe:
111
109
}
112
110
```
113
111
114
-
Policies set a floor, not a ceiling. `allowedDirectories` and `tempDirectory` can be set explicitly to customize the sandbox. Other policy-controlled settings accept matching values but reject weaker ones — connection creation fails closed. `setupSQL`, `additionalExtensions`, `motherDuckToken`, and remote `databasePath` are incompatible with any restricted policy; to use them, keep `securityPolicy` at `"none"` and configure DuckDB directly. Policies do not set resource limits — configure `threads`, `memoryLimit`, timeouts, and host quotas separately.
112
+
Policies set a floor, not a ceiling. `allowedDirectories` and `tempDirectory` can be set explicitly. Other policy-controlled settings accept matching values but reject weaker ones — connection creation fails closed. `setupSQL`, `additionalExtensions`, `motherDuckToken`, and remote `databasePath` are incompatible with any restricted policy. Policies do not set resource limits — configure `threads`, `memoryLimit`, and timeouts separately.
0 commit comments