Thank you for the reply etamponi!
Some more things from looking around a glitch:The git username and email use the name System and no email is provided so that seems to not reveal anything private.
The .bash_history file does exist if you use the web console interface, so that’s something to be aware of.
Other than that it looks pretty good as far as I can tell.
It would be nice to be able to turn on or off exposing the PROJECT_INVITE_TOKEN in a setting outside the container. Should I make a separate post as a feature request for that?
Sounds like the best approach for having users play with the example that can end up running arbitrary code is:
- Don’t host Glitch instance for users to target directly on my account.
- In the Github project encourage users to Remix on Glitch from Github
- Suggest that users delete the Glitch when they are done experimenting
This seems like another good use case for having an anonymous glitch remix like mentioned here: Show logs without remixing