Comments (4)
If you want to be super paranoid you can use a separate process, but realistically the only way to get out of this sandbox is a V8 exploit (which is entirely possible ofc, but not trivial). I'd try to set up the environment s.t. if a user can escape the sandbox, they can only read secrets for their own repo (i.e. via chroots or sth)
from probot.
Contexts can share heap objects. Anything you pass into the PR script can have its prototype messed with, which is often an exploit vector.
Further more, anyone can call while(true){}
and those are uninterruptible, and a DOS attack vector.
I think you'll want a 1-process per script model, and possibly use only c++ to pass in APIs to the untrusted script.
Since you don't actually need node APIs available for your scripts, you could also directly boot V8-Isolates in separate threads, and communicating via c++/libuv. Here's an old example https://github.com/groundwater/node-isolate-madness that would need updating, but it runs some JS in another thread and uses libuv to callback into the original thread.
from probot.
The DOS attack vector definitely requires separate isolates or processes, but you could write the trusted part of the code in JavaScript by taking advantage of an object-capabilities security model that was enabled by changes in ES5.
There's a talk about it from a member of Google's Caja team and a script floating around called initSES.js
that supposedly enables this security model.
The basic idea is that you have to lock down a bunch of JS prototypes and other things to make it impossible, for example, to replace Array.push
with your own nefarious version by following references to the prototype from an instance you were given and assigning a new method. If you do that and run untrusted code in an isolated context, you can still do trusted things outside of that context and maintain security.
from probot.
Thanks for the thoughts here. After #89, I'm going to kick this can down the road.
from probot.
Related Issues (20)
- Tracking issue: Port everything to ESM HOT 2
- Extend/utilize `@octokit/app` HOT 2
- `listForRepo(..)` contains only classic project HOT 3
- Github actions is stuck in setup mode. HOT 14
- Nitro example HOT 17
- Type Parameter Issues for `Context` HOT 2
- Testing probot app significantly slower in v13 HOT 9
- Verifying webhook signature fails since upgrade to v13 HOT 6
- Failing to verify requests HOT 11
- Testing Using Nock does not work HOT 6
- Publish to JSR
- The log level isn't adjustable and every hook reaction is returning POST 404 HOT 3
- Environment variable WEBHOOK_PATH not working as expected HOT 3
- "Register github app" won't work if the field homepage isn't present in package.json HOT 6
- Engineering electrical tshingombe HOT 1
- Log messages not showing in logs in vercel HOT 3
- Signature verification fails all the time on Probot v13 HOT 8
- Unable to deploy Probot app in Glitch HOT 1
- Add instructions to deploy a probot application using Render HOT 1
- Not a valid key=value pair (missing equal-sign) in Authorization header HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from probot.