No 'forbidden switches' (#5736)

~0.5Y ago I tried to raise a local CE instance to experiment with an in-house clang plugin. This eventually succeeded but only after much grief and eventually an [advice from partouf](https://discord.com/channels/763778740345765900/764131312117743656/1108408691746680842). The conjecture raised at that Discord thread was that the `optionsForbiddenRe` property was devised circa 2015 to block plugin usage (and others) as these were considered an attack surface. If that is the case - this is no longer true since using nsjail.
compiler-explorer · Nov 12, 2023 · 3ca11cd · 3ca11cd
1 parent 3aa044a
commit 3ca11cd
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/etc/config/compiler-explorer.defaults.properties b/etc/config/compiler-explorer.defaults.properties
@@ -10,7 +10,10 @@ staticMaxAgeSecs=1
 maxUploadSize=16mb
 supportsExecute=true
 optionsAllowedRe=.*
-optionsForbiddenRe=^(-W[alp],)?((--?(wrapper|fplugin.*|specs|load|plugin|include|fmodule-mapper)|(@.*)|-I|-i)(=.*)?|--)$
+
+# For local instances, you can use optionsForbiddenRe for extra hardening - preventing clang plugins etc. Today the live site uses nsjail instead.
+# optionsForbiddenRe=^(-W[alp],)?((--?(wrapper|fplugin.*|specs|load|plugin|include|fmodule-mapper)|(@.*)|-I|-i)(=.*)?|--)$
+
 allowedShortUrlHostRe=^([-a-z.]+\.)?(xania|godbolt)\.org$
 googleShortLinkRewrite=^https?://goo.gl/(.*)$|https://godbolt.org/g/$1
 urlShortenService=default