From 65cbefa94e0bcc53103dffdc04ed765e0be502ae Mon Sep 17 00:00:00 2001 From: Victor Frazao <31864869+vfrazao-ns1@users.noreply.github.com> Date: Tue, 27 Apr 2021 19:02:17 -0400 Subject: [PATCH 01/11] pkg(gcc-10.2.0): Adds Fortran support for GCC (#236) --- packages/gcc/10.2.0/build.sh | 2 +- packages/gcc/10.2.0/compile | 4 ++++ packages/gcc/10.2.0/environment | 1 + packages/gcc/10.2.0/metadata.json | 4 ++++ packages/gcc/10.2.0/test.f90 | 3 +++ 5 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 packages/gcc/10.2.0/test.f90 diff --git a/packages/gcc/10.2.0/build.sh b/packages/gcc/10.2.0/build.sh index 0f4be80..0ed183a 100755 --- a/packages/gcc/10.2.0/build.sh +++ b/packages/gcc/10.2.0/build.sh @@ -17,7 +17,7 @@ tar xzf gcc.tar.gz --strip-components=1 cd ../obj # === autoconf based === -../build/configure --prefix "$PREFIX" --enable-languages=c,c++,d --disable-multilib --disable-bootstrap +../build/configure --prefix "$PREFIX" --enable-languages=c,c++,d,fortran --disable-multilib --disable-bootstrap make -j$(nproc) make install -j$(nproc) diff --git a/packages/gcc/10.2.0/compile b/packages/gcc/10.2.0/compile index b381537..a77ba35 100644 --- a/packages/gcc/10.2.0/compile +++ b/packages/gcc/10.2.0/compile @@ -16,6 +16,10 @@ case "${PISTON_LANGUAGE}" in rename 's/.code$/\.d/' "$@" # Add .d extension gdc *.d ;; + fortran) + rename 's/.code$/\.f90/' "$@" # Add .f90 extension + gfortran *.f90 + ;; *) echo "How did you get here? (${PISTON_LANGUAGE})" exit 1 diff --git a/packages/gcc/10.2.0/environment b/packages/gcc/10.2.0/environment index 780b668..a0b5a11 100644 --- a/packages/gcc/10.2.0/environment +++ b/packages/gcc/10.2.0/environment @@ -2,3 +2,4 @@ # Put 'export' statements here for environment variables export PATH=$PWD/bin:$PATH +export LD_LIBRARY_PATH="$PWD/lib:$PWD/lib64" # Need this to properly link Fortran diff --git a/packages/gcc/10.2.0/metadata.json b/packages/gcc/10.2.0/metadata.json index 800e652..f969bf5 100644 --- a/packages/gcc/10.2.0/metadata.json +++ b/packages/gcc/10.2.0/metadata.json @@ -13,6 +13,10 @@ { "language": "d", "aliases": ["gdc"] + }, + { + "language": "fortran", + "aliases": ["fortran", "f90"] } ] } diff --git a/packages/gcc/10.2.0/test.f90 b/packages/gcc/10.2.0/test.f90 new file mode 100644 index 0000000..99fc062 --- /dev/null +++ b/packages/gcc/10.2.0/test.f90 @@ -0,0 +1,3 @@ +program test + print "(a)", 'OK' +end program test From 3355ffafb2af4c7c387d707eae9837586a977c62 Mon Sep 17 00:00:00 2001 From: Victor Frazao <31864869+vfrazao-ns1@users.noreply.github.com> Date: Tue, 27 Apr 2021 19:02:59 -0400 Subject: [PATCH 02/11] pkg(cobol-3.1.2): Adds cobol 3.1.2 (gnucobol) (#235) --- packages/cobol/3.1.2/build.sh | 20 ++++++++++++++++++++ packages/cobol/3.1.2/compile | 4 ++++ packages/cobol/3.1.2/environment | 5 +++++ packages/cobol/3.1.2/metadata.json | 5 +++++ packages/cobol/3.1.2/run | 5 +++++ packages/cobol/3.1.2/test.cob | 8 ++++++++ 6 files changed, 47 insertions(+) create mode 100755 packages/cobol/3.1.2/build.sh create mode 100755 packages/cobol/3.1.2/compile create mode 100644 packages/cobol/3.1.2/environment create mode 100644 packages/cobol/3.1.2/metadata.json create mode 100755 packages/cobol/3.1.2/run create mode 100644 packages/cobol/3.1.2/test.cob diff --git a/packages/cobol/3.1.2/build.sh b/packages/cobol/3.1.2/build.sh new file mode 100755 index 0000000..1156fa8 --- /dev/null +++ b/packages/cobol/3.1.2/build.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Put instructions to build your package in here +PREFIX=$(realpath $(dirname $0)) + +mkdir -p build + +cd build + +curl -OL "https://downloads.sourceforge.net/project/gnucobol/gnucobol/3.1/gnucobol-3.1.2.tar.xz" + +tar xf gnucobol-3.1.2.tar.xz --strip-components=1 + +# === autoconf based === +./configure --prefix "$PREFIX" --without-db + +make -j$(nproc) +make install -j$(nproc) +cd ../ +rm -rf build diff --git a/packages/cobol/3.1.2/compile b/packages/cobol/3.1.2/compile new file mode 100755 index 0000000..051eb75 --- /dev/null +++ b/packages/cobol/3.1.2/compile @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +cobc -o binary --free -x -L lib "$@" +chmod +x binary + diff --git a/packages/cobol/3.1.2/environment b/packages/cobol/3.1.2/environment new file mode 100644 index 0000000..ca711d7 --- /dev/null +++ b/packages/cobol/3.1.2/environment @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +export PATH=$PWD/bin:$PATH +export LD_LIBRARY_PATH=$PWD/lib + diff --git a/packages/cobol/3.1.2/metadata.json b/packages/cobol/3.1.2/metadata.json new file mode 100644 index 0000000..cf3e7e1 --- /dev/null +++ b/packages/cobol/3.1.2/metadata.json @@ -0,0 +1,5 @@ +{ + "language": "cobol", + "version": "3.1.2", + "aliases": ["cob"] +} diff --git a/packages/cobol/3.1.2/run b/packages/cobol/3.1.2/run new file mode 100755 index 0000000..9dcedfa --- /dev/null +++ b/packages/cobol/3.1.2/run @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +shift +./binary "$@" + diff --git a/packages/cobol/3.1.2/test.cob b/packages/cobol/3.1.2/test.cob new file mode 100644 index 0000000..1a03e66 --- /dev/null +++ b/packages/cobol/3.1.2/test.cob @@ -0,0 +1,8 @@ +*> Test Program +identification division. +program-id. ok-test. + +procedure division. +display "OK" +goback. +end program ok-test. From 08ea3b37402c3311ea52c649871a9fc28ec50dd1 Mon Sep 17 00:00:00 2001 From: Dan Vargas <10914883+dvargas46@users.noreply.github.com> Date: Tue, 27 Apr 2021 18:03:33 -0500 Subject: [PATCH 03/11] pkg(lolcode-0.11.2): add dep for correct version (#234) Co-authored-by: Vargas, Dan --- repo/Dockerfile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/repo/Dockerfile b/repo/Dockerfile index 90d6547..fb4a315 100644 --- a/repo/Dockerfile +++ b/repo/Dockerfile @@ -1,6 +1,13 @@ FROM debian:buster-slim ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && apt-get install -y unzip autoconf build-essential libssl-dev pkg-config zlib1g-dev libargon2-dev libsodium-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libonig-dev libxml2 libxml2-dev bc curl git linux-headers-amd64 perl xz-utils python3 python3-pip gnupg jq zlib1g-dev cmake cmake-doc extra-cmake-modules build-essential gcc binutils bash coreutils util-linux pciutils usbutils coreutils binutils findutils grep libncurses5-dev libncursesw5-dev python3-pip libgmp-dev libmpfr-dev python2 libffi-dev && \ +RUN apt-get update && apt-get install -y unzip autoconf build-essential libssl-dev \ + pkg-config zlib1g-dev libargon2-dev libsodium-dev libcurl4-openssl-dev \ + sqlite3 libsqlite3-dev libonig-dev libxml2 libxml2-dev bc curl git \ + linux-headers-amd64 perl xz-utils python3 python3-pip gnupg jq zlib1g-dev \ + cmake cmake-doc extra-cmake-modules build-essential gcc binutils bash coreutils \ + util-linux pciutils usbutils coreutils binutils findutils grep libncurses5-dev \ + libncursesw5-dev python3-pip libgmp-dev libmpfr-dev python2 libffi-dev \ + libreadline-dev && \ ln -sf /bin/bash /bin/sh && \ rm -rf /var/lib/apt/lists/* && \ update-alternatives --install /usr/bin/python python /usr/bin/python3.7 2 From 3dfade7c910a462248cb284d937b70f749147b42 Mon Sep 17 00:00:00 2001 From: Dan Vargas <10914883+dvargas46@users.noreply.github.com> Date: Tue, 27 Apr 2021 21:15:34 -0500 Subject: [PATCH 04/11] pkg(lolcode-0.11.2): update build script to use correct lolcode version (#237) Co-authored-by: Vargas, Dan --- packages/lolcode/0.11.2/build.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/lolcode/0.11.2/build.sh b/packages/lolcode/0.11.2/build.sh index 72a9ea3..007fe82 100755 --- a/packages/lolcode/0.11.2/build.sh +++ b/packages/lolcode/0.11.2/build.sh @@ -2,9 +2,12 @@ PREFIX=$(realpath $(dirname $0)) -# Cloning lolcode source -git clone https://github.com/justinmeza/lci.git lolcode -cd lolcode +mkdir -p build +cd build + +# lolcode release +curl -L "https://github.com/justinmeza/lci/archive/refs/tags/v0.11.2.tar.gz" -o lolcode.tar.gz +tar xzf lolcode.tar.gz --strip-components=1 # Building and installing lolcode cmake -DCMAKE_INSTALL_PREFIX:STRING="$PREFIX" . @@ -12,4 +15,4 @@ make -j$(nproc) make install -j$(nproc) # Cleaning up -cd ../ && rm -rf lolcode +cd ../ && rm -rf build From 724cbbaa9bcc8e48b4057bc7a1b4316b1e891fbd Mon Sep 17 00:00:00 2001 From: Thomas Hobson Date: Wed, 28 Apr 2021 14:34:51 +1200 Subject: [PATCH 05/11] mount /tmp as tmpfs in container --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 764a55b..4080638 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,3 +11,4 @@ services: - ./data/piston:/piston tmpfs: - /piston/jobs:exec + - /tmp From 73391cf718bbb821ed2187d18127764ce865b807 Mon Sep 17 00:00:00 2001 From: Thomas Hobson Date: Wed, 28 Apr 2021 15:35:40 +1200 Subject: [PATCH 06/11] add exploit payloads --- tests/fallocate.py | 12 ++++++++++++ tests/fork.py | 6 ++++++ tests/network.py | 8 ++++++++ tests/readme.md | 9 +++++++++ tests/runaway_output.py | 2 ++ 5 files changed, 37 insertions(+) create mode 100644 tests/fallocate.py create mode 100644 tests/fork.py create mode 100644 tests/network.py create mode 100644 tests/readme.md create mode 100644 tests/runaway_output.py diff --git a/tests/fallocate.py b/tests/fallocate.py new file mode 100644 index 0000000..90860fe --- /dev/null +++ b/tests/fallocate.py @@ -0,0 +1,12 @@ +""" +Description + Writing a large file to disk in the jobs directory, exhausting the + space will temporarly disable other jobs to be started. + +Discovered by + Discord Derpius#9144 +""" + +with open("beans","w") as f: + n = 2**24 + f.write("I love beans\n"*n) \ No newline at end of file diff --git a/tests/fork.py b/tests/fork.py new file mode 100644 index 0000000..3ccbb26 --- /dev/null +++ b/tests/fork.py @@ -0,0 +1,6 @@ +import os +while True: + try: + os.fork() + except: + pass \ No newline at end of file diff --git a/tests/network.py b/tests/network.py new file mode 100644 index 0000000..c7fa217 --- /dev/null +++ b/tests/network.py @@ -0,0 +1,8 @@ +""" +Description + Accessing external resources could be potentially dangerous + +""" + +import urllib.request +contents = urllib.request.urlopen("https://emkc.org").read() \ No newline at end of file diff --git a/tests/readme.md b/tests/readme.md new file mode 100644 index 0000000..01ae419 --- /dev/null +++ b/tests/readme.md @@ -0,0 +1,9 @@ +# Exploit Tests + +This directory contains a collection of exploits which have already been patched + +Write exploits in any language supported by piston. + +Hopefully when running any files in this directory, piston will resist the attack. + +Leave a comment in the code describing how the exploit works. \ No newline at end of file diff --git a/tests/runaway_output.py b/tests/runaway_output.py new file mode 100644 index 0000000..f2b1b9f --- /dev/null +++ b/tests/runaway_output.py @@ -0,0 +1,2 @@ +while True: + print("Piston is secure") \ No newline at end of file From a6bc24e22e35bc4be41f9d7d93f146cadfb187ca Mon Sep 17 00:00:00 2001 From: Thomas Hobson Date: Wed, 28 Apr 2021 15:39:23 +1200 Subject: [PATCH 07/11] Fix issue where large files can be written to exhaust space **BREAKING CHANGE** Requires manually editing the config file, or deleting the config file entirely! --- api/src/config.js | 6 ++++++ api/src/job.js | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/api/src/config.js b/api/src/config.js index d98a4b4..c97b64c 100644 --- a/api/src/config.js +++ b/api/src/config.js @@ -102,6 +102,12 @@ const options = [ default: 2048, validators: [] }, + { + key: 'max_file_size', + desc: 'Max file size in bytes for a file', + default: 1000000, //1MB + validators: [] + }, { key: 'repo_url', desc: 'URL of repo index', diff --git a/api/src/job.js b/api/src/job.js index 2692bc1..6858c3a 100644 --- a/api/src/job.js +++ b/api/src/job.js @@ -74,7 +74,8 @@ class Job { const prlimit = [ 'prlimit', '--nproc=' + config.max_process_count, - '--nofile=' + config.max_open_files + '--nofile=' + config.max_open_files, + '--fsize=' + config.max_file_size ]; const proc_call = [ @@ -185,7 +186,7 @@ class Job { async cleanup() { logger.info(`Cleaning up job uuid=${this.uuid}`); await fs.rm(this.dir, { recursive: true, force: true }); - let processes = [1] + let processes = [1]; while(processes.length > 0){ processes = await ps_list(); From 3bd73d07a90d1fc48f72df8505451ed0a3b3572e Mon Sep 17 00:00:00 2001 From: Thomas Hobson Date: Wed, 28 Apr 2021 16:03:35 +1200 Subject: [PATCH 08/11] file persistance fix --- api/src/globals.js | 8 +++++++- api/src/job.js | 32 +++++++++++++++++++++++++++----- tests/file_persistance.py | 25 +++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 6 deletions(-) create mode 100644 tests/file_persistance.py diff --git a/api/src/globals.js b/api/src/globals.js index 300558e..e632a88 100644 --- a/api/src/globals.js +++ b/api/src/globals.js @@ -16,5 +16,11 @@ module.exports = { }, version: require('../package.json').version, platform, - pkg_installed_file: '.ppman-installed' //Used as indication for if a package was installed + pkg_installed_file: '.ppman-installed', //Used as indication for if a package was installed + clean_directories: [ + "/dev/shm", + "/run/lock", + "/tmp", + "/var/tmp" + ] }; diff --git a/api/src/job.js b/api/src/job.js index 6858c3a..d35893a 100644 --- a/api/src/job.js +++ b/api/src/job.js @@ -183,12 +183,10 @@ class Job { }; } - async cleanup() { - logger.info(`Cleaning up job uuid=${this.uuid}`); - await fs.rm(this.dir, { recursive: true, force: true }); + + async cleanup_processes(){ let processes = [1]; while(processes.length > 0){ - processes = await ps_list(); processes = processes.filter(proc => proc.uid == this.uid); @@ -212,8 +210,32 @@ class Job { wait_pid(proc.pid); } } - + } + async cleanup_filesystem(){ + /* + for (const clean_path of globals.clean_directories) { + const contents = await fs.readdir(clean_path); + + for (const file of contents) { + const file_path = path.join(clean_path, file); + const stat = await fs.stat(file_path); + if(stat.uid == this.uid) + await fs.rm(file_path, { recursive: true, force: true }); + } + + }*/ + + await fs.rm(this.dir, { recursive: true, force: true }); + } + + async cleanup() { + logger.info(`Cleaning up job uuid=${this.uuid}`); + + await Promise.all([ + this.cleanup_processes(), + this.cleanup_filesystem() + ]); } } diff --git a/tests/file_persistance.py b/tests/file_persistance.py new file mode 100644 index 0000000..ec23cfe --- /dev/null +++ b/tests/file_persistance.py @@ -0,0 +1,25 @@ +""" +Description + Files can be written into world writable directories without being removed, + potentially leading to disk space exhaustion + + Run this test twice and there should be no output + +""" + +import os + +directories = [ + "/dev/shm", + "/run/lock", + "/tmp", + "/var/tmp" +] + +for dir in directories: + fpath = f"{dir}/bean" + if os.path.exists(fpath): + print(f"{fpath} exists") + else: + with open(fpath, "w") as f: + f.write("beannn") \ No newline at end of file From 0299810d6cb8576fc03af85ffdb053134b64ee0e Mon Sep 17 00:00:00 2001 From: Thomas Hobson Date: Wed, 28 Apr 2021 16:04:27 +1200 Subject: [PATCH 09/11] update CI config --- .github/workflows/package-pr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/package-pr.yaml b/.github/workflows/package-pr.yaml index ac940d9..d5e2595 100644 --- a/.github/workflows/package-pr.yaml +++ b/.github/workflows/package-pr.yaml @@ -74,6 +74,7 @@ jobs: output_max_size: 1024 max_process_count: 64 max_open_files: 2048 + max_file_size: 1000000 repo_url: http://localhost:8000/index write-mode: overwrite From 5509492a99fc78b3b67519c1c6a29b88a4261f3f Mon Sep 17 00:00:00 2001 From: Thomas Hobson Date: Wed, 28 Apr 2021 16:11:49 +1200 Subject: [PATCH 10/11] uncomment the fix --- api/src/job.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/src/job.js b/api/src/job.js index d35893a..b711ac1 100644 --- a/api/src/job.js +++ b/api/src/job.js @@ -213,7 +213,7 @@ class Job { } async cleanup_filesystem(){ - /* + for (const clean_path of globals.clean_directories) { const contents = await fs.readdir(clean_path); @@ -224,7 +224,7 @@ class Job { await fs.rm(file_path, { recursive: true, force: true }); } - }*/ + } await fs.rm(this.dir, { recursive: true, force: true }); } From 9f98f393a7c4a4743a6ba9ba78be0c12baf6b8dc Mon Sep 17 00:00:00 2001 From: JeffreyHuang06 <59666651+JeffreyHuang06@users.noreply.github.com> Date: Wed, 28 Apr 2021 00:16:29 -0400 Subject: [PATCH 11/11] Update readme.md (#226) changed api path from v1 to v2 --- readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/readme.md b/readme.md index 54a880e..38bad62 100644 --- a/readme.md +++ b/readme.md @@ -170,9 +170,9 @@ The container exposes an API on port 2000 by default. This is used by the CLI to carry out running jobs and package management. #### Runtimes Endpoint -`GET /api/v1/runtimes` +`GET /api/v2/runtimes` This endpoint will return the supported languages along with the current version and aliases. To execute -code for a particular language using the `/api/v1/execute` endpoint, either the name or one of the aliases must +code for a particular language using the `/api/v2/execute` endpoint, either the name or one of the aliases must be provided, along with the version. Multiple versions of the same language may be present at the same time, and may be selected when running a job. ```json @@ -199,7 +199,7 @@ Content-Type: application/json ``` #### Execute Endpoint -`POST /api/v1/execute` +`POST /api/v2/execute` This endpoint requests execution of some arbitrary code. - `language` (**required**) The language to use for execution, must be a string and must be installed. - `version` (**required**) The version of the language to use for execution, must be a string containing a SemVer selector for the version or the specific version number to use.