Skip to content

pluginlab@0.2.0

Choose a tag to compare

View all tags
@topheman topheman released this 11 Jul 15:12
· 131 commits to master since this release
pluginlab@0.2.0
9875613

🔧 pluginlab crate

🔒 Enhanced Security Model with Permission System

  • Added comprehensive permission system for WebAssembly plugin sandboxing
  • New CLI flags for fine-grained control over plugin permissions:
    • --allow-net [<DOMAINS>]: Control network access
    • --allow-read: Allow filesystem read access
    • --allow-write: Allow filesystem write access
    • --allow-all / -A: Allow all permissions (shorthand)
  • Plugins are now sandboxed by default - no filesystem or network access unless explicitly permitted
  • Network permissions are checked before any network calls are made
  • File system permissions are enforced through preopens with appropriate read/write flags

🧪 Testing & Quality

  • Added comprehensive tests for permission system edge cases
  • Fixed failing tests for ls and cat plugins to include required --allow-read flag
  • Added test coverage for permission validation scenarios including network access control and filesystem permission enforcement

⚠️ Breaking Changes

  • Existing plugins that access filesystem now require --allow-read flag
  • Network-enabled plugins now require --allow-net flag
  • Use --allow-all to maintain previous behavior for all plugins

🌐 web-host

🛠️ Build Tools

  • Added prepareFilesystem.ts CLI script to prepare a virtual filesytem based on /fixtures/filesystem folder
  • Expose the virtual filesystme to plugins through the @bytecodealliance/preview2-shim/filesystem shim

🎯 Migration Guide

To upgrade from v0.1.0 to v0.2.0 for the CLI host pluginlab:

  1. For existing scripts: Add --allow-all flag to maintain current behavior
  2. For security-conscious usage: Use specific permission flags:
    • --allow-read allows read access to the filesystem
    • --allow-net allows network access to the plugins, you can specify a list of domains comma separated (by default, no network access is allowed)
    • --allow-write allows write access to the filesystem

Example Usage

# Allow all permissions (v0.1.0 behavior)
pluginlab --repl-logic <url> --plugins <urls> --allow-all

# Granular permissions
pluginlab --repl-logic <url> --plugins <urls> --allow-read --allow-net google.com,api.weatherapi.com

This release significantly enhances the security model while maintaining backward compatibility through the --allow-all flag. The permission system provides fine-grained control over plugin capabilities, making pluginlab suitable for running untrusted WebAssembly plugins safely.

📋 View changes between v0.1.0 and v0.2.0

Assets 2
Loading