playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): block mounting home and system directories as workspace

Browse source
This commit is contained in:
docker-claude 2026-04-15 08:40:50 +02:00
parent 3401fa38a5
commit 65ac4c7011
1 changed files with 37 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

38
claude.sh
View file

@ -44,8 +44,44 @@ load_env() {
# ─── Workspace volume resolution ────────────────────────────────────────────── # ─── Workspace volume resolution ──────────────────────────────────────────────
# Mounts the current working directory as /workspace inside the container. # Mounts the current working directory as /workspace inside the container.
# Refuses to mount the home directory or system directories.
workspace_flag() { workspace_flag() {
echo "--volume $(pwd):/workspace:z" local cwd
cwd="$(pwd)"
# Exact-match blocklist — mounting these exposes too much of the host
local -a exact_blocked=(
/
"$HOME"
/root
/home
)
# Prefix blocklist — these and any subdirectory are system internals
local -a prefix_blocked=(
/bin /sbin /lib /lib64
/etc /usr /var
/proc /sys /dev
/boot /run
)
for dir in "${exact_blocked[@]}"; do
if [[ "$cwd" == "$dir" ]]; then
error "Refusing to mount $cwd as workspace — too broad."
error "cd into a project subdirectory first."
exit 1
fi
done
for dir in "${prefix_blocked[@]}"; do
if [[ "$cwd" == "$dir" || "$cwd" == "$dir/"* ]]; then
error "Refusing to mount $cwd as workspace — system directory."
error "cd into a project subdirectory first."
exit 1
fi
done
echo "--volume ${cwd}:/workspace:z"
} }
# ─── Compose wrapper ────────────────────────────────────────────────────────── # ─── Compose wrapper ──────────────────────────────────────────────────────────