Refactor installation and runner scripts for enhanced usability and security

- Updated the installation script to clarify that production wrappers do not include fixed test secrets, improving user guidance for local testing.
- Modified the jiggablend-manager and jiggablend-runner scripts to remove fixed test configurations, emphasizing the use of local test credentials via `make init-test`.
- Enhanced error handling in the runner script to ensure that an API key is provided, improving security and user feedback.
- Added new flags and options for the runner, including sandboxing capabilities and GPU ray tracing control, enhancing flexibility for users.
- Improved README documentation to reflect changes in usage and configuration, ensuring users have clear instructions for setup and execution.
This commit is contained in:
2026-07-12 10:01:15 -05:00
parent a3defe5cf6
commit 1a69fcfd04
47 changed files with 2718 additions and 402 deletions
+14
View File
@@ -128,6 +128,20 @@ func ExtractTarStripPrefix(reader io.Reader, destDir string) error {
if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
return err
}
// Reject absolute or escaping symlink targets so extraction cannot
// plant links that point outside destDir.
linkTarget := header.Linkname
if linkTarget == "" {
return fmt.Errorf("invalid empty symlink target in tar: %s", header.Name)
}
if filepath.IsAbs(linkTarget) {
return fmt.Errorf("absolute symlink target not allowed in tar: %s -> %s", header.Name, linkTarget)
}
resolvedLink := filepath.Clean(filepath.Join(filepath.Dir(targetPath), linkTarget))
cleanDest := filepath.Clean(destDir)
if resolvedLink != cleanDest && !strings.HasPrefix(resolvedLink, cleanDest+string(os.PathSeparator)) {
return fmt.Errorf("symlink target escapes extract root: %s -> %s", header.Name, linkTarget)
}
os.Remove(targetPath) // Remove existing symlink if present
if err := os.Symlink(header.Linkname, targetPath); err != nil {
return err