Multiple binary support api #196
Conversation
ChrisLovering
force-pushed
the
multi-version-api
branch
3 times, most recently
from
1b512b8
to
5f67817
Compare
ChrisLovering
force-pushed
the
multi-version-api
branch
from
b990ac2
to
c97b74d
Compare
snekbox/api/resources/eval.py
Outdated
| if binary_path: | ||
| binary_path = Path(binary_path) | ||
| if ( | ||
| not binary_path.resolve().as_posix().startswith("/lang/") |
There was a problem hiding this comment.
Why restrict it to just files in that directory? It seems like an arbitrary restriction I don't think we should have.
There was a problem hiding this comment.
Oh I missed this in your description
if supplied, snekbox ensures that the path is within /lang (to avoid executing arbitrary binaries on the fs) and that the file exists.
It is fairly trivial to bypass this restriction by using the execve syscall. We cannot block this syscall either (at least not through nsjail's seccomp filters). That is due to a quirk in which the filter is applied before nsjail's own execve call, causing nsjail to commit suicide.
Granted, there may be use cases which don't have binaries in /lang that make it possible to call syscalls. But I think if a request comes up to have such restriction, we can add it as a later feature.
snekbox/api/resources/eval.py
Outdated
| not binary_path.resolve().as_posix().startswith("/lang/") | ||
| or not binary_path.is_file() | ||
| ): | ||
| raise falcon.HTTPBadRequest(title="binary_path file is invalid") |
There was a problem hiding this comment.
Let's be more specific. We should also check that the file exists if we aren't already (and that should be a distinct error message)
snekbox/nsjail.py
Outdated
| """ | ||
| if not binary_path: | ||
| binary_path = "/lang/python/default/bin/python" |
There was a problem hiding this comment.
Let's set the default in the function parameters instead.
There was a problem hiding this comment.
Had to do something slightly idfferent so that hte default cna be used both by calling python3 directly, and when calling the API 66c6d27
snekbox/nsjail.py
Outdated
| @@ -188,7 +189,12 @@ def python3( | |||
| py_args: Arguments to pass to Python. | |||
| files: FileAttachments to write to the sandbox prior to running Python. | |||
| nsjail_args: Overrides for the NsJail configuration. | |||
| binary_path: The path to the binary to execute under. | |||
| If None, defaults to "/lang/python/default/bin/python" | |||
There was a problem hiding this comment.
I think we should rename /lang since it's going to be more prominent now. Maybe /snekbin? — doubles as a kinda clever play on "snekbox". If so, we also have to rename our references to the path in our CONTRIBUTING.md docs.
There was a problem hiding this comment.
Yeah I agree this is a good change f726695
tests/test_integration.py
Outdated
| """Test that passing invalid binary paths result in no code execution.""" | ||
| with run_gunicorn(): | ||
| cases = [ | ||
| ("/bin/bash", "test files outside of /lang cannot be ran"), |
There was a problem hiding this comment.
typo
| ("/bin/bash", "test files outside of /lang cannot be ran"), | |
| ("/bin/bash", "test files outside of /lang cannot be run"), |
tests/test_integration.py
Outdated
| "/lang/../bin/bash", | ||
| "test path traversal still stops files outside /lang from running", | ||
| ), | ||
| ("/foo/bar", "test non-existant files are not ran"), |
There was a problem hiding this comment.
typo
| ("/foo/bar", "test non-existant files are not ran"), | |
| ("/foo/bar", "test non-existant files are not run"), |
ChrisLovering
force-pushed
the
multi-version-api
branch
2 times, most recently
from
a784d78
to
6dcf094
Compare
|
I plan to pick this PR up soon just had time to rebase this evening |
snekbox/api/resources/eval.py
Outdated
| binary_path = Path(binary_path) | ||
| if ( | ||
| not binary_path.resolve().as_posix().startswith("/lang/") | ||
| or not binary_path.is_file() |
There was a problem hiding this comment.
Should we also check that it's executable?
| or not binary_path.is_file() | |
| or not binary_path.is_file() | |
| or not binary_path.stat().st_mode & 0o100 == 0o100 |
snekbox/api/resources/eval.py
Outdated
| if binary_path: | ||
| binary_path = Path(binary_path) | ||
| if ( | ||
| not binary_path.resolve().as_posix().startswith("/lang/") |
There was a problem hiding this comment.
Should we move the resolve().as_posix() calls above so the pathlib calls below can make use of it? Or do they mutate the internal object (source of eldritch horrors)
There was a problem hiding this comment.
changed this func quite a bit since then, so this is no longer relevant
|
Hey how's this PR going? It would be very useful for a project I'm working on. |
This is needed as dev builds such as 3.13-dev use the suffix -dev, rather than a patch version.
ChrisLovering
force-pushed
the
multi-version-api
branch
from
6dcf094
to
39c3e79
Compare
This was needed due to wanting a default value when calling python3 diurectly, but also when not specified via the API call
ChrisLovering
force-pushed
the
multi-version-api
branch
from
39c3e79
to
f726695
Compare
|
Now ready for (re)review |
snekbox/api/resources/eval.py
Outdated
| @@ -43,6 +44,7 @@ class EvalResource: | |||
| "required": ["path"], | |||
| }, | |||
| }, | |||
| "binary_path": {"type": "string"}, | |||
There was a problem hiding this comment.
Maybe "executable_path" is a better name than "binary_path"? I'm also okay with the latter though.
There was a problem hiding this comment.
Yeah I agree, makes it clearer what is supported here, as it's not limitted to just binaries. edcaed6
This allows setting a
binary_pathkey in the request body to/evalto specify which binary to run under.If not supplied, it defaults to
"/snekbin/python/default/bin/python".0c9b234 is needed as previously we were dropping the text after the last period when creating the path to install Python to. However, for versions such as3.13-dev this would result in it being installed into
/snekbin/3. Instead, we now split on the last.or the last-