jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/internal/worker
History
Jeremie Fraeys 9434f4c8e6
feat(security): Artifact ingestion caps enforcement 
Add MaxArtifactFiles and MaxArtifactTotalBytes to SandboxConfig:
- Default MaxArtifactFiles: 10,000 (configurable via SecurityDefaults)
- Default MaxArtifactTotalBytes: 100GB (configurable via SecurityDefaults)
- ApplySecurityDefaults() sets defaults if not specified

Enforce caps in scanArtifacts() during directory walk:
- Returns error immediately when MaxArtifactFiles exceeded
- Returns error immediately when MaxArtifactTotalBytes exceeded
- Prevents resource exhaustion attacks from malicious artifact trees

Update all call sites to pass SandboxConfig for cap enforcement:
- Native bridge libs updated to pass caps argument
- Benchmark tests updated with nil caps (unlimited for benchmarks)
- Unit tests updated with nil caps

Closes: artifact ingestion caps items from security plan
2026-02-23 19:43:28 -05:00
..
errors refactor(api): internal refactoring for TUI and worker modules 2026-02-20 15:51:23 -05:00
execution feat: Worker sandboxing and security configuration 2026-02-18 21:27:59 -05:00
executor feat(security): implement comprehensive security hardening phases 1-5,7 2026-02-23 18:00:33 -05:00
integrity feat: add manifest signing and native hashing support 2026-02-19 15:34:39 -05:00
interfaces refactor: Phase 1 - Extract worker interfaces 2026-02-17 14:10:03 -05:00
lifecycle refactor(api): internal refactoring for TUI and worker modules 2026-02-20 15:51:23 -05:00
artifacts.go feat(security): Artifact ingestion caps enforcement 2026-02-23 19:43:28 -05:00
config.go feat(security): HIPAA compliance mode and PHI denylist validation 2026-02-23 19:43:19 -05:00
factory.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
gpu_detector.go feat: GPU detection transparency and artifact scanner improvements 2026-02-23 12:29:34 -05:00
gpu_macos.go feat: GPU detection transparency and artifact scanner improvements 2026-02-23 12:29:34 -05:00
gpu_macos_stub.go feat: native GPU detection and NVML bridge for macOS and Linux 2026-02-21 17:59:59 -05:00
gpu_nvml_native.go feat: native GPU detection and NVML bridge for macOS and Linux 2026-02-21 17:59:59 -05:00
gpu_nvml_stub.go feat: native GPU detection and NVML bridge for macOS and Linux 2026-02-21 17:59:59 -05:00
native_bridge.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
native_bridge_libs.go feat(security): Artifact ingestion caps enforcement 2026-02-23 19:43:28 -05:00
native_bridge_nocgo.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
snapshot_store.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
worker.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00