https://github.com/thevilledev/safesonnet

Secure Jsonnet importer for google/go-jsonnet
https://github.com/thevilledev/safesonnet

go go124 jsonnet

Last synced: 5 months ago
JSON representation

Secure Jsonnet importer for google/go-jsonnet

• Host: GitHub
• URL: https://github.com/thevilledev/safesonnet
• Owner: thevilledev
• License: mit
• Created: 2025-02-11T19:35:32.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2025-04-13T17:30:54.000Z (6 months ago)
• Last Synced: 2025-05-08T20:12:26.722Z (5 months ago)
• Topics: go, go124, jsonnet
• Language: Go
• Homepage:
• Size: 29.3 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# SafeSonnet

[![Go Reference](https://pkg.go.dev/badge/github.com/thevilledev/safesonnet.svg)](https://pkg.go.dev/github.com/thevilledev/safesonnet)

[![test](https://github.com/thevilledev/go-thespine/actions/workflows/ci.yaml/badge.svg)](https://github.com/thevilledev/safesonnet/actions/workflows/ci.yaml)

[![Go Report Card](https://goreportcard.com/badge/github.com/thevilledev/safesonnet)](https://goreportcard.com/report/github.com/thevilledev/safesonnet)

SafeSonnet is a secure file importer for [google/go-jsonnet](https://github.com/google/go-jsonnet) that restricts file imports to a specific directory using [Go 1.24's new `os.Root` functionality](https://tip.golang.org/doc/go1.24#directory-limited-filesystem-access). This helps prevent path traversal attacks and ensures that Jsonnet imports can only access files within a designated directory.

## Installation

```bash

go get github.com/thevilledev/safesonnet

```

Requires Go 1.24.

## Usage

See [example](example/) directory for a complete working example.

Basic usage:

```go

importer, err := safesonnet.NewSafeImporter("jsonnet", []string{

    filepath.Join("jsonnet", "lib"), // Library path relative to workspace

})

if err != nil {

    log.Fatal(err)

}

// Close is required to release the os.Root file descriptor

defer importer.Close()

vm := jsonnet.MakeVM()

vm.Importer(importer)

```

Note: Unlike `jsonnet.FileImporter`, `SafeImporter` requires calling `Close()` to release the underlying `os.Root` file descriptor. Always use `defer importer.Close()` after creating the importer.

## Security

SafeSonnet uses Go 1.24's `os.Root` functionality to ensure that file access is restricted to the specified directory tree. This means:

- No access to files outside the specified root directory

- No following of symbolic links that point outside the root

- No absolute path traversal

- No relative path traversal (e.g., using `../`)

- Library paths (JPaths) must be within the root directory

## License

MIT License - see [LICENSE](LICENSE) file for full details.