refactor(embark): restrict path for fs ops only in VM2 context

When testing production installs of embark 4.0.0-beta.1 (local registry), the
`restrictPath` mechanism of `core/fs` was too restrictive, interfering with
template generation (cause not completely determined). Also, it's known that
`restrictPath` causes problems when resolving plugins, etc. from "higher up"
`node_modules` paths, e.g. in the monorepo.

Introduce `codeRunner/fs` which uses `restrictPath` as before, and in `core/fs`
remove `restrictPath`. Revise the other `codeRunner` modules to use
`codeRunner/fs`.
This commit is contained in:
Michael Bradley, Jr 2019-03-17 18:14:54 -05:00 committed by Iuri Matias
parent 6758a652eb
commit e37598309f
5 changed files with 261 additions and 161 deletions

View File

@ -1,164 +1,90 @@
const parseJson = require('parse-json'); /* global module process require */
const {DAPP_PATH,
DIAGRAM_PATH,
EMBARK_PATH,
PKG_PATH,
anchoredValue} = require('./env');
const fs = require('fs-extra');
const os = require('os'); const os = require('os');
let path = require('path'); const parseJson = require('parse-json');
let fs = require('fs-extra'); const path = require('path');
let utils = require('../utils/utils.js'); const utils = require('../utils/utils');
let env = require('./env.js');
require('colors'); require('colors');
function restrictPath(receiver, binding, count, args) { function mkdirpSync(...args) { return fs.mkdirpSync(...args); }
const dapp = dappPath();
let embark = embarkPath();
const pkg = pkgPath();
// In the monorepo, enable doing FS functions on all of embark (needed to access embark/node_modules) function mkdirp(...args) { return fs.mkdirp(...args); }
embark = embark.replace(path.normalize('embark/packages/'), '');
const allowedRoots = [ function readdir(...args) { return fs.readdir(...args); }
dapp,
embark,
pkg,
os.tmpdir()
];
let allInsideRestricted = true; function stat(...args) { return fs.stat(...args); }
for(let i = 0; i < count; i++) { function remove(...args) { return fs.remove(...args); }
let resolved = path.resolve(dapp, args[i]);
allInsideRestricted = allowedRoots.some(p => { return resolved.indexOf(p) === 0; });
if(!allInsideRestricted) break;
}
if(allInsideRestricted) return receiver.apply(binding, args); function copy(...args) { return fs.copy(...args); }
throw new Error('EPERM: Operation not permitted');
}
function mkdirpSync() { function copySync(...args) { return fs.copySync(...args); }
return restrictPath(fs.mkdirpSync, fs.mkdirpSync, 1, arguments);
}
function mkdirp() { function move(...args) { return fs.move(...args); }
return restrictPath(fs.mkdirp, fs.mkdirp, 1, arguments);
}
function readdir() { function moveSync(...args) { return fs.moveSync(...args); }
return restrictPath(fs.readdir, fs.readdir, 1, arguments);
}
function stat() { function symlink(...args) { return fs.symlink(...args); }
return restrictPath(fs.stat, fs.stat, 1, arguments);
}
function remove() { function appendFileSync(...args) { return fs.appendFileSync(...args); }
return restrictPath(fs.remove, fs.remove, 1, arguments);
}
function copy() { function writeFile(...args) { return fs.writeFile(...args); }
return restrictPath(fs.copy, fs.copy, 2, arguments);
}
function copySync() { function writeFileSync(...args) { return fs.writeFileSync(...args); }
return restrictPath(fs.copySync, fs.copySync, 2, arguments);
}
function move(){ function readFile(...args) { return fs.readFile(...args); }
return restrictPath(fs.move, fs.move, 2, arguments);
}
function moveSync() { function readFileSync(...args) { return fs.readFileSync(...args); }
return restrictPath(fs.moveSync, fs.moveSync, 2, arguments);
}
function symlink() { function readdirSync(...args) { return fs.readdirSync(...args); }
return restrictPath(fs.symlink, fs.symlink, 2, arguments);
}
function appendFileSync() { function statSync(...args) { return fs.statSync(...args); }
return restrictPath(fs.appendFileSync, fs.writeFileSync, 1, arguments);
}
function writeFile() { function readJSONSync(...args) {
return restrictPath(fs.writeFile, fs.writeFileSync, 1, arguments); let json;
}
function writeFileSync() {
return restrictPath(fs.writeFileSync, fs.writeFileSync, 1, arguments);
}
function readFile() {
return restrictPath(fs.readFile, fs.readFile, 1, arguments);
}
function readFileSync() {
return restrictPath(fs.readFileSync, fs.readFileSync, 1, arguments);
}
function readdirSync() {
return restrictPath(fs.readdirSync, fs.readdirSync, 1, arguments);
}
function statSync() {
return restrictPath(fs.statSync, fs.statSync, 1, arguments);
}
function readJSONSync() {
let content = readFileSync.apply(readFileSync, arguments);
try { try {
return parseJson(content); json = parseJson(readFileSync(...args));
} catch (e) { } catch (e) {
console.error("error: ".red + arguments[0].green.underline + " " + e.message.green); console.error('error: '.red + args[0].green.underline + ' ' + e.message.green);
process.exit(0); process.exit(1);
} }
return json;
} }
function writeJSONSync() { function writeJSONSync(...args) { return fs.writeJSONSync(...args); }
return restrictPath(fs.writeJSONSync, fs.writeJSONSync, 1, arguments);
}
function outputJSONSync() { function outputJSONSync(...args) { return fs.outputJSONSync(...args); }
return restrictPath(fs.outputJSONSync, fs.outputJSONSync, 1, arguments);
}
function writeJson() { function writeJson(...args) { return fs.writeJson(...args); }
return restrictPath(fs.writeJson, fs.writeJson, 1, arguments);
}
function existsSync() { function existsSync(...args) { return fs.existsSync(...args); }
return restrictPath(fs.existsSync, fs.existsSync, 1, arguments);
}
function ensureFileSync() { function ensureFileSync(...args) { return fs.ensureFileSync(...args); }
return restrictPath(fs.ensureFileSync, fs.ensureFileSync, 1, arguments);
}
function ensureDirSync() { function ensureDirSync(...args) { return fs.ensureDirSync(...args); }
return restrictPath(fs.ensureDirSync, fs.ensureDirSync, 1, arguments);
}
function access() { function access(...args) { return fs.access(...args); }
return restrictPath(fs.access, fs.access, 1, arguments);
}
function removeSync() { function removeSync(...args) { return fs.removeSync(...args); }
return restrictPath(fs.removeSync, fs.removeSync, 1, arguments);
}
function anchoredPath(anchor, ...args) { function anchoredPath(anchor, ...args) {
args = args.map(path => path.replace(dappPath(), "")); return utils.joinPath(
return utils.joinPath(env.anchoredValue(anchor), ...args); anchoredValue(anchor),
...args.map(path => path.replace(dappPath(), ''))
);
} }
function embarkPath() { function embarkPath(...args) { return anchoredPath(EMBARK_PATH, ...args); }
return anchoredPath(env.EMBARK_PATH, ...arguments);
}
function dappPath() { function dappPath(...args) { return anchoredPath(DAPP_PATH, ...args); }
return anchoredPath(env.DAPP_PATH, ...arguments);
}
function diagramPath() { function diagramPath(...args) { return anchoredPath(DIAGRAM_PATH, ...args); }
return anchoredPath(env.DIAGRAM_PATH, ...arguments);
}
function ipcPath(basename, usePipePathOnWindows = false) { function ipcPath(basename, usePipePathOnWindows = false) {
if (!(basename && typeof basename === 'string')) { if (!(basename && typeof basename === 'string')) {
@ -173,26 +99,18 @@ function ipcPath(basename, usePipePathOnWindows = false) {
); );
} }
function pkgPath() { function pkgPath(...args) { return anchoredPath(PKG_PATH, ...args); }
return anchoredPath(env.PKG_PATH, ...arguments);
}
function createWriteStream() { function createWriteStream(...args) { return fs.createWriteStream(...args); }
return restrictPath(fs.createWriteStream, fs.createWriteStream, 1, arguments);
}
function tmpDir() { function tmpDir(...args) { return utils.joinPath(os.tmpdir(), ...args); }
let os = require('os');
return utils.joinPath(os.tmpdir(), ...arguments);
}
function copyPreserve(sourceFilePath, targetFilePath) { function copyPreserve(sourceFilePath, targetFilePath) {
const implementation = (sourceFilePath, targetFilePath) => { const implementation = (sourceFilePath, targetFilePath) => {
const path = require('path');
let ext = 1; let ext = 1;
let preserved = targetFilePath; let preserved = targetFilePath;
while (fs.existsSync(preserved)) { while (fs.existsSync(preserved)) {
let extname = path.extname(targetFilePath); const extname = path.extname(targetFilePath);
preserved = utils.joinPath( preserved = utils.joinPath(
path.dirname(targetFilePath), path.dirname(targetFilePath),
`${path.basename(targetFilePath, extname)}.${ext}${extname}` `${path.basename(targetFilePath, extname)}.${ext}${extname}`
@ -205,12 +123,10 @@ function copyPreserve(sourceFilePath, targetFilePath) {
fs.copySync(sourceFilePath, targetFilePath); fs.copySync(sourceFilePath, targetFilePath);
}; };
return restrictPath(implementation, implementation, 2, [sourceFilePath, targetFilePath]); return implementation(sourceFilePath, targetFilePath);
} }
function outputFileSync(){ function outputFileSync(...args) { return fs.outputFileSync(...args); }
return restrictPath(fs.outputFileSync, fs.outputFile, 1, arguments);
}
module.exports = { module.exports = {
access, access,

View File

@ -0,0 +1,195 @@
/* global module process require */
const {DAPP_PATH,
DIAGRAM_PATH,
EMBARK_PATH,
PKG_PATH,
anchoredValue} = require('../../core/env');
const fs = require('fs-extra');
const os = require('os');
const parseJson = require('parse-json');
const path = require('path');
const utils = require('../../utils/utils');
require('colors');
function restrictPath(receiver, binding, count, args) {
const dapp = dappPath();
let embark = embarkPath();
const pkg = pkgPath();
// In the monorepo, enable doing FS functions on all of embark (needed to access embark/node_modules)
embark = embark.replace(path.normalize('embark/packages/'), '');
const allowedRoots = [
dapp,
embark,
pkg,
os.tmpdir()
];
let allInsideRestricted = true;
for (let i = 0; i < count; i++) {
const resolved = path.resolve(dapp, args[i]);
allInsideRestricted = allowedRoots.some(p => { return resolved.indexOf(p) === 0; });
if (!allInsideRestricted) break;
}
if (allInsideRestricted) return receiver.apply(binding, args);
throw new Error('EPERM: Operation not permitted');
}
function mkdirpSync(...args) { return restrictPath(fs.mkdirpSync, fs, 1, args); }
function mkdirp(...args) { return restrictPath(fs.mkdirp, fs, 1, args); }
function readdir(...args) { return restrictPath(fs.readdir, fs, 1, args); }
function stat(...args) { return restrictPath(fs.stat, fs, 1, args); }
function remove(...args) { return restrictPath(fs.remove, fs, 1, args); }
function copy(...args) { return restrictPath(fs.copy, fs, 2, args); }
function copySync(...args) { return restrictPath(fs.copySync, fs, 2, args); }
function move(...args) { return restrictPath(fs.move, fs, 2, args); }
function moveSync(...args) { return restrictPath(fs.moveSync, fs, 2, args); }
function symlink(...args) { return restrictPath(fs.symlink, fs, 2, args); }
function appendFileSync(...args) { return restrictPath(fs.appendFileSync, fs, 1, args); }
function writeFile(...args) { return restrictPath(fs.writeFile, fs, 1, args); }
function writeFileSync(...args) { return restrictPath(fs.writeFileSync, fs, 1, args); }
function readFile(...args) { return restrictPath(fs.readFile, fs, 1, args); }
function readFileSync(...args) { return restrictPath(fs.readFileSync, fs, 1, args); }
function readdirSync(...args) { return restrictPath(fs.readdirSync, fs, 1, args); }
function statSync(...args) { return restrictPath(fs.statSync, fs, 1, args); }
function readJSONSync(...args) {
const content = readFileSync(...args);
let json;
try {
json = parseJson(content);
} catch(e) {
console.error('error: '.red + args[0].green.underline + ' ' + e.message.green);
process.exit(0);
}
return json;
}
function writeJSONSync(...args) { return restrictPath(fs.writeJSONSync, fs, 1, args); }
function outputJSONSync(...args) { return restrictPath(fs.outputJSONSync, fs, 1, args); }
function writeJson(...args) { return restrictPath(fs.writeJson, fs, 1, args); }
function existsSync(...args) { return restrictPath(fs.existsSync, fs, 1, args); }
function ensureFileSync(...args) { return restrictPath(fs.ensureFileSync, fs, 1, args); }
function ensureDirSync(...args) { return restrictPath(fs.ensureDirSync, fs, 1, args); }
function access(...args) { return restrictPath(fs.access, fs, 1, args); }
function removeSync(...args) { return restrictPath(fs.removeSync, fs, 1, args); }
function anchoredPath(anchor, ...args) {
return utils.joinPath(
anchoredValue(anchor),
...args.map(path => path.replace(dappPath(), ''))
);
}
function embarkPath(...args) { return anchoredPath(EMBARK_PATH, ...args); }
function dappPath(...args) { return anchoredPath(DAPP_PATH, ...args); }
function diagramPath(...args) { return anchoredPath(DIAGRAM_PATH, ...args); }
function ipcPath(basename, usePipePathOnWindows = false) {
if (!(basename && typeof basename === 'string')) {
throw new TypeError('first argument must be a non-empty string');
}
if (process.platform === 'win32' && usePipePathOnWindows) {
return `\\\\.\\pipe\\${basename}`;
}
return utils.joinPath(
tmpDir(`embark-${utils.sha512(dappPath()).slice(0, 8)}`),
basename
);
}
function pkgPath(...args) { return anchoredPath(PKG_PATH, ...args); }
function createWriteStream(...args) { return restrictPath(fs.createWriteStream, fs, 1, args); }
function tmpDir(...args) { return utils.joinPath(os.tmpdir(), ...args); }
function copyPreserve(sourceFilePath, targetFilePath) {
const implementation = (sourceFilePath, targetFilePath) => {
let ext = 1;
let preserved = targetFilePath;
while (fs.existsSync(preserved)) {
const extname = path.extname(targetFilePath);
preserved = utils.joinPath(
path.dirname(targetFilePath),
`${path.basename(targetFilePath, extname)}.${ext}${extname}`
);
ext++;
}
if (preserved !== targetFilePath) {
fs.copySync(targetFilePath, preserved);
}
fs.copySync(sourceFilePath, targetFilePath);
};
return restrictPath(implementation, {}, 2, [sourceFilePath, targetFilePath]);
}
function outputFileSync(...args) { return restrictPath(fs.outputFileSync, fs, 1, args); }
module.exports = {
access,
appendFileSync,
copy,
copyPreserve,
copySync,
createWriteStream,
dappPath,
diagramPath,
embarkPath,
existsSync,
ensureFileSync,
ensureDirSync,
ipcPath,
mkdirp,
mkdirpSync,
move,
moveSync,
outputFileSync,
outputJSONSync,
pkgPath,
readFile,
readFileSync,
readJSONSync,
readdir,
readdirSync,
remove,
removeSync,
stat,
statSync,
symlink,
tmpDir,
writeFile,
writeFileSync,
writeJSONSync,
writeJson
};

View File

@ -1,5 +1,5 @@
import VM from "./vm"; import VM from "./vm";
const fs = require("../../core/fs"); const fs = require("./fs");
import { Callback, Embark, Events, Logger } from "embark"; import { Callback, Embark, Events, Logger } from "embark";
import Web3 from "web3"; import Web3 from "web3";
const EmbarkJS = require("embarkjs"); const EmbarkJS = require("embarkjs");
@ -22,23 +22,7 @@ class CodeRunner {
this.vm = new VM({ this.vm = new VM({
require: { require: {
mock: { mock: {
fs: { fs,
access: fs.access,
dappPath: fs.dappPath,
diagramPath: fs.diagramPath,
embarkPath: fs.embarkPath,
existsSync: fs.existsSync,
ipcPath: fs.ipcPath,
pkgPath: fs.pkgPath,
readFile: fs.readFile,
readFileSync: fs.readFileSync,
readJSONSync: fs.readJSONSync,
readdir: fs.readdir,
readdirSync: fs.readdirSync,
stat: fs.stat,
statSync: fs.statSync,
tmpDir: fs.tmpDir,
},
}, },
}, },
sandbox: { sandbox: {

View File

@ -2,7 +2,7 @@ import { each } from "async";
import { Callback, Logger } from "embark"; import { Callback, Logger } from "embark";
import { NodeVM, NodeVMOptions } from "vm2"; import { NodeVM, NodeVMOptions } from "vm2";
const fs = require("../../core/fs"); const fs = require("./fs");
const path = require("path"); const path = require("path");
const { recursiveMerge, isEs6Module, compact } = require("../../utils/utils"); const { recursiveMerge, isEs6Module, compact } = require("../../utils/utils");
@ -33,7 +33,7 @@ class VM {
*/ */
private _options: NodeVMOptions = { private _options: NodeVMOptions = {
require: { require: {
builtin: ["path", "rxjs", "util"], builtin: ["path", "util"],
external: [ external: [
"@babel/runtime-corejs2/helpers/interopRequireDefault", "@babel/runtime-corejs2/helpers/interopRequireDefault",
"@babel/runtime-corejs2/core-js/json/stringify", "@babel/runtime-corejs2/core-js/json/stringify",

View File

@ -3,14 +3,16 @@ const {assert} = require('chai');
const os = require('os'); const os = require('os');
const path = require('path'); const path = require('path');
const underlyingFs = require('fs-extra'); const underlyingFs = require('fs-extra');
const fs = require('../lib/core/fs'); const fs = require('../lib/modules/codeRunner/fs');
describe('fs', () => { describe('fs', () => {
let fsMethods = {}; let fsMethods = {};
let oldConsoleError;
let oldDappPath; let oldDappPath;
let oldProcessExit; let oldProcessExit;
before(() => { before(() => {
oldConsoleError = console.error;
oldDappPath = process.env.DAPP_PATH; oldDappPath = process.env.DAPP_PATH;
process.env.DAPP_PATH = fs.embarkPath(); process.env.DAPP_PATH = fs.embarkPath();
oldProcessExit = process.exit; oldProcessExit = process.exit;
@ -63,9 +65,12 @@ describe('fs', () => {
it('should not throw exceptions on paths inside the temporary dir root', (done) => { it('should not throw exceptions on paths inside the temporary dir root', (done) => {
assert.doesNotThrow(async () => { assert.doesNotThrow(async () => {
try { try {
if (func === 'readJSONSync') console.error = function() {};
await fs[func](path.join(os.tmpdir(), 'foo')); await fs[func](path.join(os.tmpdir(), 'foo'));
} catch(e) { } catch(e) {
if(e.message.indexOf('EPERM') === 0) throw e; if(e.message.indexOf('EPERM') === 0) throw e;
} finally {
if (func === 'readJSONSync') console.error = oldConsoleError;
} }
}, /EPERM: Operation not permitted/); }, /EPERM: Operation not permitted/);