mirror of
https://github.com/AutoMaker-Org/automaker.git
synced 2026-01-31 06:42:03 +00:00
8ff4b5912a
This commit consolidates directory security from two environment variables (WORKSPACE_DIR, ALLOWED_PROJECT_DIRS) into a single ALLOWED_ROOT_DIRECTORY variable while maintaining backward compatibility. Changes: - Re-enabled path validation in security.ts (was previously disabled) - Implemented isPathAllowed() to check ALLOWED_ROOT_DIRECTORY with DATA_DIR exception - Added backward compatibility for legacy ALLOWED_PROJECT_DIRS and WORKSPACE_DIR - Implemented path traversal protection via isPathWithinDirectory() helper - Added PathNotAllowedError custom exception for security violations - Updated all FS route endpoints to validate paths and return 403 on violation - Updated template clone endpoint to validate project paths - Updated workspace config endpoints to use ALLOWED_ROOT_DIRECTORY - Fixed stat() response property access bug in project-init.ts - Updated security tests to expect actual validation behavior Security improvements: - Path validation now enforced at all layers (routes, project init, agent services) - appData directory (DATA_DIR) always allowed for settings/credentials - Backward compatible with existing ALLOWED_PROJECT_DIRS/WORKSPACE_DIR configurations - Protection against path traversal attacks Backend test results: 654/654 passing ✅ 🤖 Generated with Claude Code Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
63 lines
1.9 KiB
Plaintext
63 lines
1.9 KiB
Plaintext
# Automaker Server Configuration
|
|
# Copy this file to .env and configure your settings
|
|
|
|
# ============================================
|
|
# REQUIRED
|
|
# ============================================
|
|
|
|
# Your Anthropic API key for Claude models
|
|
ANTHROPIC_API_KEY=sk-ant-...
|
|
|
|
# ============================================
|
|
# OPTIONAL - Security
|
|
# ============================================
|
|
|
|
# API key for authenticating requests (leave empty to disable auth)
|
|
# If set, all API requests must include X-API-Key header
|
|
AUTOMAKER_API_KEY=
|
|
|
|
# Root directory for projects and file operations
|
|
# If set, users can only create/open projects and files within this directory
|
|
# Recommended for sandboxed deployments (Docker, restricted environments)
|
|
# Example: ALLOWED_ROOT_DIRECTORY=/projects
|
|
ALLOWED_ROOT_DIRECTORY=
|
|
|
|
# (Legacy) Restrict file operations to these directories (comma-separated)
|
|
# DEPRECATED: Use ALLOWED_ROOT_DIRECTORY instead for simpler configuration
|
|
# This is kept for backward compatibility
|
|
# ALLOWED_PROJECT_DIRS=/home/user/projects,/var/www
|
|
|
|
# CORS origin - which domains can access the API
|
|
# Use "*" for development, set specific origin for production
|
|
CORS_ORIGIN=*
|
|
|
|
# ============================================
|
|
# OPTIONAL - Server
|
|
# ============================================
|
|
|
|
# Port to run the server on
|
|
PORT=3008
|
|
|
|
# Data directory for sessions and metadata
|
|
DATA_DIR=./data
|
|
|
|
# ============================================
|
|
# OPTIONAL - Additional AI Providers
|
|
# ============================================
|
|
|
|
# Google API key (for future Gemini support)
|
|
GOOGLE_API_KEY=
|
|
|
|
# ============================================
|
|
# OPTIONAL - Terminal Access
|
|
# ============================================
|
|
|
|
# Enable/disable terminal access (default: true)
|
|
TERMINAL_ENABLED=true
|
|
|
|
# Password to protect terminal access (leave empty for no password)
|
|
# If set, users must enter this password before accessing terminal
|
|
TERMINAL_PASSWORD=
|
|
|
|
ENABLE_REQUEST_LOGGING=false
|