mirror of
https://github.com/AutoMaker-Org/automaker.git
synced 2026-01-30 22:32:04 +00:00
8ff4b5912a
This commit consolidates directory security from two environment variables (WORKSPACE_DIR, ALLOWED_PROJECT_DIRS) into a single ALLOWED_ROOT_DIRECTORY variable while maintaining backward compatibility. Changes: - Re-enabled path validation in security.ts (was previously disabled) - Implemented isPathAllowed() to check ALLOWED_ROOT_DIRECTORY with DATA_DIR exception - Added backward compatibility for legacy ALLOWED_PROJECT_DIRS and WORKSPACE_DIR - Implemented path traversal protection via isPathWithinDirectory() helper - Added PathNotAllowedError custom exception for security violations - Updated all FS route endpoints to validate paths and return 403 on violation - Updated template clone endpoint to validate project paths - Updated workspace config endpoints to use ALLOWED_ROOT_DIRECTORY - Fixed stat() response property access bug in project-init.ts - Updated security tests to expect actual validation behavior Security improvements: - Path validation now enforced at all layers (routes, project init, agent services) - appData directory (DATA_DIR) always allowed for settings/credentials - Backward compatible with existing ALLOWED_PROJECT_DIRS/WORKSPACE_DIR configurations - Protection against path traversal attacks Backend test results: 654/654 passing ✅ 🤖 Generated with Claude Code Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
73 lines
2.2 KiB
YAML
73 lines
2.2 KiB
YAML
# Automaker Docker Compose
|
|
# Runs Automaker in complete isolation from your host filesystem.
|
|
# The container cannot access any files on your laptop - only Docker-managed volumes.
|
|
#
|
|
# Usage:
|
|
# docker-compose up -d
|
|
# Then open http://localhost:3007
|
|
#
|
|
# See docs/docker-isolation.md for full documentation.
|
|
|
|
services:
|
|
# Frontend UI
|
|
ui:
|
|
build:
|
|
context: .
|
|
dockerfile: apps/ui/Dockerfile
|
|
container_name: automaker-ui
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3007:80"
|
|
depends_on:
|
|
- server
|
|
|
|
# Backend API Server
|
|
server:
|
|
build:
|
|
context: .
|
|
dockerfile: apps/server/Dockerfile
|
|
container_name: automaker-server
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3008:3008"
|
|
environment:
|
|
# Required
|
|
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
|
|
|
|
# Optional - authentication (leave empty to disable)
|
|
- AUTOMAKER_API_KEY=${AUTOMAKER_API_KEY:-}
|
|
|
|
# Optional - restrict to specific directory within container only
|
|
# Projects and files can only be created/accessed within this directory
|
|
# Paths are INSIDE the container, not on your host
|
|
# Default: /projects
|
|
- ALLOWED_ROOT_DIRECTORY=${ALLOWED_ROOT_DIRECTORY:-/projects}
|
|
|
|
# Optional - data directory for sessions, settings, etc. (container-only)
|
|
- DATA_DIR=/data
|
|
|
|
# Optional - CORS origin (default allows all)
|
|
- CORS_ORIGIN=${CORS_ORIGIN:-*}
|
|
|
|
# Optional - additional API keys
|
|
- OPENAI_API_KEY=${OPENAI_API_KEY:-}
|
|
- GOOGLE_API_KEY=${GOOGLE_API_KEY:-}
|
|
volumes:
|
|
# ONLY named volumes - these are isolated from your host filesystem
|
|
# This volume persists data between restarts but is container-managed
|
|
- automaker-data:/data
|
|
|
|
# NO host directory mounts - container cannot access your laptop files
|
|
# If you need to work on a project, create it INSIDE the container
|
|
# or use a separate docker-compose override file
|
|
|
|
# Security: Server runs as non-root user (already set in Dockerfile)
|
|
# Security: No privileged mode
|
|
# Security: No host network access
|
|
# Security: No host filesystem mounts
|
|
|
|
volumes:
|
|
automaker-data:
|
|
name: automaker-data
|
|
# Named volume - completely isolated from host filesystem
|