api: harden runaway code

This commit is contained in:
Thomas Hobson 2021-02-21 21:36:49 +13:00
parent 8727a545c6
commit 514006058b
No known key found for this signature in database
GPG Key ID: 9F1FD9D87950DB6F
1 changed files with 25 additions and 10 deletions

View File

@ -73,9 +73,10 @@ class Job {
logger.info(`Executing job uuid=${this.uuid} uid=${this.uid} gid=${this.gid} runtime=${this.runtime.toString()}`); logger.info(`Executing job uuid=${this.uuid} uid=${this.uid} gid=${this.gid} runtime=${this.runtime.toString()}`);
logger.debug('Compiling'); logger.debug('Compiling');
const compile = this.runtime.compiled && await new Promise((resolve, reject) => { const compile = this.runtime.compiled && await new Promise((resolve, reject) => {
const proc_call = ['unshare', '-n', '-r', 'bash', path.join(this.runtime.pkgdir, 'compile'),this.main, ...this.files].slice(!config.enable_unshare * 3)
var stdout = ''; var stdout = '';
var stderr = ''; var stderr = '';
const proc = cp.spawn('unshare', ['-n', 'bash', path.join(this.runtime.pkgdir, 'compile'),this.main, ...this.files] ,{ const proc = cp.spawn(proc_call[0], proc_call.splice(1) ,{
env: this.runtime.env_vars, env: this.runtime.env_vars,
stdio: ['pipe', 'pipe', 'pipe'], stdio: ['pipe', 'pipe', 'pipe'],
cwd: this.dir, cwd: this.dir,
@ -83,18 +84,24 @@ class Job {
gid: this.gid gid: this.gid
}); });
const kill_timeout = setTimeout(proc.kill, this.timeouts.compile, 'SIGKILL'); const kill_timeout = setTimeout(_ => proc.kill('SIGKILL'), this.timeouts.compile);
proc.stderr.on('data', d=>stderr += d); proc.stderr.on('data', d=>{if(stderr.length>config.output_max_size) proc.kill('SIGKILL'); else stderr += d;});
proc.stdout.on('data', d=>stdout += d); proc.stdout.on('data', d=>{if(stdout.length>config.output_max_size) proc.kill('SIGKILL'); else stdout += d;});
proc.on('exit', (code, signal)=>{ proc.on('exit', (code, signal)=>{
clearTimeout(kill_timeout); clearTimeout(kill_timeout);
proc.stderr.destroy()
proc.stdout.destroy()
resolve({stdout, stderr, code, signal}); resolve({stdout, stderr, code, signal});
}); });
proc.on('error', (err) => { proc.on('error', (err) => {
clearTimeout(kill_timeout); clearTimeout(kill_timeout);
proc.stderr.destroy()
proc.stdout.destroy()
reject({error: err, stdout, stderr}); reject({error: err, stdout, stderr});
}); });
}); });
@ -102,9 +109,10 @@ class Job {
logger.debug('Running'); logger.debug('Running');
const run = await new Promise((resolve, reject) => { const run = await new Promise((resolve, reject) => {
const proc_call = ['unshare', '-n', '-r', 'bash', path.join(this.runtime.pkgdir, 'run'), this.main, ...this.args].slice(!config.enable_unshare * 3);
var stdout = ''; var stdout = '';
var stderr = ''; var stderr = '';
const proc = cp.spawn('unshare', ['-n', 'bash', path.join(this.runtime.pkgdir, 'run'),this.main, ...this.args] ,{ const proc = cp.spawn(proc_call[0], proc_call.slice(1) ,{
env: this.runtime.env_vars, env: this.runtime.env_vars,
stdio: ['pipe', 'pipe', 'pipe'], stdio: ['pipe', 'pipe', 'pipe'],
cwd: this.dir, cwd: this.dir,
@ -112,18 +120,25 @@ class Job {
gid: this.gid gid: this.gid
}); });
const kill_timeout = setTimeout(proc.kill, this.timeouts.run, 'SIGKILL'); const kill_timeout = setTimeout(_ => proc.kill('SIGKILL'), this.timeouts.run);
proc.stderr.on('data', d=>stderr += d); proc.stderr.on('data', d=>{if(stderr.length>config.output_max_size) proc.kill('SIGKILL'); else stderr += d;});
proc.stdout.on('data', d=>stdout += d); proc.stdout.on('data', d=>{if(stdout.length>config.output_max_size) proc.kill('SIGKILL'); else stdout += d;});
proc.stdin.write(this.stdin)
proc.stdin.end()
proc.on('exit', (code, signal)=>{ proc.on('exit', (code, signal)=>{
clearTimeout(kill_timeout); clearTimeout(kill_timeout);
proc.stderr.destroy()
proc.stdout.destroy()
resolve({stdout, stderr, code, signal}); resolve({stdout, stderr, code, signal});
}); });
proc.on('error', (err) => { proc.on('error', (err) => {
clearTimeout(kill_timeout); clearTimeout(kill_timeout);
proc.stderr.destroy()
proc.stdout.destroy()
reject({error: err, stdout, stderr}); reject({error: err, stdout, stderr});
}); });
}); });