jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
8cf00cd1a6a93fe85ce26a0ece9d2697d45a89f0
danbooru/config/environments/development.rb
evazion 8cf00cd1a6 Add sandbox for running untrusted code. 
Add a Sandbox class for running untrusted external programs like ffmpeg
or exiftool inside a sandbox. This uses Linux namespaces to run the
process in an isolated container, much like a Docker container. Unlike a
Docker container, we can use it to sandbox programs when Danbooru itself
is already running inside a Docker container.

This is also more restrictive than Docker in several ways:

* It has a system call filter that is more restrictive and more
  customizable than Docker's filter by default. Even if the process
  breaks out of the container, the syscall filter will limit what it can
  do, even if it escalates to root.
* It blocks the use of setuid binaries, so the process can't use things
  like sudo to escalate to root inside the sandbox.
* It blocks all network access inside the sandbox by default.
* All files in the container are read-only by default. The sandboxed
  process can only communicate by writing to stdout.

See app/logical/sandbox.rb for more details.

This isn't actually enabled yet. It will be rolled out progressively to
ensure it doesn't break things.
2021-11-13 05:25:10 -06:00

78 lines
2.8 KiB
Ruby
Raw Blame History

require "active_support/core_ext/integer/time"
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# In the development environment your application's code is reloaded any time
# it changes. This slows down response time but is perfect for development
# since you don't have to restart the web server when you make code changes.
config.cache_classes = false
# Do not eager load code on boot.
config.eager_load = false
# Show full error reports.
config.consider_all_requests_local = true
# Enable/disable caching. By default caching is disabled.
# Run rails dev:cache to toggle caching.
if Rails.root.join('tmp', 'caching-dev.txt').exist?
config.action_controller.perform_caching = true
config.action_controller.enable_fragment_cache_logging = true
config.cache_store = :memory_store
config.public_file_server.headers = {
'Cache-Control' => "public, max-age=#{2.days.to_i}"
}
else
config.action_controller.perform_caching = false
config.cache_store = :null_store
end
# Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
config.action_mailer.perform_caching = false
# Print deprecation notices to the Rails logger.
config.active_support.deprecation = :log
# Raise exceptions for disallowed deprecations.
config.active_support.disallowed_deprecation = :raise
# Tell Active Support which deprecation messages to disallow.
config.active_support.disallowed_deprecation_warnings = []
# Raise an error on page load if there are pending migrations.
config.active_record.migration_error = :page_load
# Highlight code that triggered database queries in logs.
config.active_record.verbose_query_logs = true
# Raises error for missing translations.
# config.i18n.raise_on_missing_translations = true
# Annotate rendered view with file names.
# config.action_view.annotate_rendered_view_with_filenames = true
# Use an evented file watcher to asynchronously detect changes in source code,
# routes, locales, etc. This feature depends on the listen gem.
config.file_watcher = ActiveSupport::EventedFileUpdateChecker unless Danbooru.config.debug_mode
# Uncomment if you wish to allow Action Cable access from any origin.
# config.action_cable.disable_request_forgery_protection = true
logger = ActiveSupport::Logger.new(STDERR)
logger.formatter = config.log_formatter
config.logger = ActiveSupport::TaggedLogging.new(logger)
BetterErrors::Middleware.allow_ip!(IPAddr.new("0.0.0.0/0"))
BetterErrors::Middleware.allow_ip!(IPAddr.new("::/0"))
# https://bigbinary.com/blog/rails-6-adds-guard-against-dns-rebinding-attacks
# hxxps://github.com/rails/rails/pull/33145
config.hosts += [".ngrok.io", ".lvh.me", ".xip.io", ".nip.io", Danbooru.config.hostname]
end
Reference in New Issue View Git Blame Copy Permalink