Raise error on writes outside Docker shared folder
* Don't replace path before execute * Use config option for LOCAL_WORKSPACE_ROOT
This commit is contained in:
@ -4,10 +4,14 @@ require 'concurrent'
|
|||||||
require 'pathname'
|
require 'pathname'
|
||||||
|
|
||||||
class DockerClient
|
class DockerClient
|
||||||
|
def self.config
|
||||||
|
@config ||= CodeOcean::Config.new(:docker).read(erb: true)
|
||||||
|
end
|
||||||
|
|
||||||
CONTAINER_WORKSPACE_PATH = '/workspace' # '/home/python/workspace' #'/tmp/workspace'
|
CONTAINER_WORKSPACE_PATH = '/workspace' # '/home/python/workspace' #'/tmp/workspace'
|
||||||
DEFAULT_MEMORY_LIMIT = 256
|
DEFAULT_MEMORY_LIMIT = 256
|
||||||
# Ralf: I suggest to replace this with the environment variable. Ask Hauke why this is not the case!
|
# Ralf: I suggest to replace this with the environment variable. Ask Hauke why this is not the case!
|
||||||
LOCAL_WORKSPACE_ROOT = Rails.root.join('tmp', 'files', Rails.env)
|
LOCAL_WORKSPACE_ROOT = File.expand_path(self.config[:workspace_root])
|
||||||
MINIMUM_MEMORY_LIMIT = 4
|
MINIMUM_MEMORY_LIMIT = 4
|
||||||
RECYCLE_CONTAINERS = false
|
RECYCLE_CONTAINERS = false
|
||||||
RETRY_COUNT = 2
|
RETRY_COUNT = 2
|
||||||
@ -51,10 +55,6 @@ class DockerClient
|
|||||||
|
|
||||||
private :command_substitutions
|
private :command_substitutions
|
||||||
|
|
||||||
def self.config
|
|
||||||
@config ||= CodeOcean::Config.new(:docker).read(erb: true)
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.container_creation_options(execution_environment, local_workspace_path)
|
def self.container_creation_options(execution_environment, local_workspace_path)
|
||||||
{
|
{
|
||||||
'Image' => find_image_by_tag(execution_environment.docker_image).info['RepoTags'].first,
|
'Image' => find_image_by_tag(execution_environment.docker_image).info['RepoTags'].first,
|
||||||
@ -294,6 +294,9 @@ class DockerClient
|
|||||||
# before_execution_block.try(:call)
|
# before_execution_block.try(:call)
|
||||||
begin
|
begin
|
||||||
before_execution_block.call
|
before_execution_block.call
|
||||||
|
rescue FilepathError
|
||||||
|
# Prevent catching this error here
|
||||||
|
raise
|
||||||
rescue StandardError => e
|
rescue StandardError => e
|
||||||
Rails.logger.error('execute_websocket_command: Rescued from StandardError caused by before_execution_block.call: ' + e.to_s)
|
Rails.logger.error('execute_websocket_command: Rescued from StandardError caused by before_execution_block.call: ' + e.to_s)
|
||||||
end
|
end
|
||||||
@ -424,19 +427,23 @@ class DockerClient
|
|||||||
end
|
end
|
||||||
|
|
||||||
def local_file_path(options = {})
|
def local_file_path(options = {})
|
||||||
File.join(self.class.local_workspace_path(options[:container]), options[:file].path || '', options[:file].name_with_extension)
|
resulting_file_path = File.join(self.class.local_workspace_path(options[:container]), options[:file].path || '', options[:file].name_with_extension)
|
||||||
|
absolute_path = File.expand_path(resulting_file_path)
|
||||||
|
unless absolute_path.start_with? self.class.local_workspace_path(options[:container]).to_s
|
||||||
|
raise(FilepathError, 'Filepath not allowed')
|
||||||
|
end
|
||||||
|
absolute_path
|
||||||
end
|
end
|
||||||
|
|
||||||
private :local_file_path
|
private :local_file_path
|
||||||
|
|
||||||
def self.local_workspace_path(container)
|
def self.local_workspace_path(container)
|
||||||
Pathname.new(container.binds.first.split(':').first.sub(config[:workspace_root], LOCAL_WORKSPACE_ROOT.to_s)) if container.binds.present?
|
Pathname.new(container.binds.first.split(':').first) if container.binds.present?
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.mapped_directories(local_workspace_path)
|
def self.mapped_directories(local_workspace_path)
|
||||||
remote_workspace_path = local_workspace_path.sub(LOCAL_WORKSPACE_ROOT.to_s, config[:workspace_root])
|
|
||||||
# create the string to be returned
|
# create the string to be returned
|
||||||
["#{remote_workspace_path}:#{CONTAINER_WORKSPACE_PATH}"]
|
["#{local_workspace_path}:#{CONTAINER_WORKSPACE_PATH}"]
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.mapped_ports(execution_environment)
|
def self.mapped_ports(execution_environment)
|
||||||
@ -494,4 +501,5 @@ class DockerClient
|
|||||||
private :send_command
|
private :send_command
|
||||||
|
|
||||||
class Error < RuntimeError; end
|
class Error < RuntimeError; end
|
||||||
|
class FilepathError < RuntimeError; end
|
||||||
end
|
end
|
||||||
|
Reference in New Issue
Block a user