diff options
author | Yaco <franco@reevo.org> | 2020-06-04 11:01:00 -0300 |
---|---|---|
committer | Yaco <franco@reevo.org> | 2020-06-04 11:01:00 -0300 |
commit | fc7369835258467bf97eb64f184b93691f9a9fd5 (patch) | |
tree | daabd60089d2dd76d9f5fb416b005fbe159c799d /www/wiki/includes/shell |
first commit
Diffstat (limited to 'www/wiki/includes/shell')
-rw-r--r-- | www/wiki/includes/shell/Command.php | 555 | ||||
-rw-r--r-- | www/wiki/includes/shell/CommandFactory.php | 114 | ||||
-rw-r--r-- | www/wiki/includes/shell/FirejailCommand.php | 160 | ||||
-rw-r--r-- | www/wiki/includes/shell/Result.php | 76 | ||||
-rw-r--r-- | www/wiki/includes/shell/Shell.php | 251 | ||||
-rw-r--r-- | www/wiki/includes/shell/firejail.profile | 7 | ||||
-rwxr-xr-x | www/wiki/includes/shell/limit.sh | 122 |
7 files changed, 1285 insertions, 0 deletions
diff --git a/www/wiki/includes/shell/Command.php b/www/wiki/includes/shell/Command.php new file mode 100644 index 00000000..d9fa82df --- /dev/null +++ b/www/wiki/includes/shell/Command.php @@ -0,0 +1,555 @@ +<?php +/** + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * http://www.gnu.org/copyleft/gpl.html + * + * @file + */ + +namespace MediaWiki\Shell; + +use Exception; +use MediaWiki\ProcOpenError; +use MediaWiki\ShellDisabledError; +use Profiler; +use Psr\Log\LoggerAwareTrait; +use Psr\Log\NullLogger; + +/** + * Class used for executing shell commands + * + * @since 1.30 + */ +class Command { + use LoggerAwareTrait; + + /** @var string */ + protected $command = ''; + + /** @var array */ + private $limits = [ + // seconds + 'time' => 180, + // seconds + 'walltime' => 180, + // KB + 'memory' => 307200, + // KB + 'filesize' => 102400, + ]; + + /** @var string[] */ + private $env = []; + + /** @var string */ + private $method; + + /** @var string|null */ + private $inputString; + + /** @var bool */ + private $doIncludeStderr = false; + + /** @var bool */ + private $doLogStderr = false; + + /** @var bool */ + private $everExecuted = false; + + /** @var string|false */ + private $cgroup = false; + + /** + * bitfield with restrictions + * + * @var int + */ + protected $restrictions = 0; + + /** + * Constructor. Don't call directly, instead use Shell::command() + * + * @throws ShellDisabledError + */ + public function __construct() { + if ( Shell::isDisabled() ) { + throw new ShellDisabledError(); + } + + $this->setLogger( new NullLogger() ); + } + + /** + * Destructor. Makes sure programmer didn't forget to execute the command after all + */ + public function __destruct() { + if ( !$this->everExecuted ) { + $context = [ 'command' => $this->command ]; + $message = __CLASS__ . " was instantiated, but execute() was never called."; + if ( $this->method ) { + $message .= ' Calling method: {method}.'; + $context['method'] = $this->method; + } + $message .= ' Command: {command}'; + $this->logger->warning( $message, $context ); + } + } + + /** + * Adds parameters to the command. All parameters are sanitized via Shell::escape(). + * Null values are ignored. + * + * @param string|string[] $args,... + * @return $this + */ + public function params( /* ... */ ) { + $args = func_get_args(); + if ( count( $args ) === 1 && is_array( reset( $args ) ) ) { + // If only one argument has been passed, and that argument is an array, + // treat it as a list of arguments + $args = reset( $args ); + } + $this->command = trim( $this->command . ' ' . Shell::escape( $args ) ); + + return $this; + } + + /** + * Adds unsafe parameters to the command. These parameters are NOT sanitized in any way. + * Null values are ignored. + * + * @param string|string[] $args,... + * @return $this + */ + public function unsafeParams( /* ... */ ) { + $args = func_get_args(); + if ( count( $args ) === 1 && is_array( reset( $args ) ) ) { + // If only one argument has been passed, and that argument is an array, + // treat it as a list of arguments + $args = reset( $args ); + } + $args = array_filter( $args, + function ( $value ) { + return $value !== null; + } + ); + $this->command = trim( $this->command . ' ' . implode( ' ', $args ) ); + + return $this; + } + + /** + * Sets execution limits + * + * @param array $limits Associative array of limits. Keys (all optional): + * filesize (for ulimit -f), memory, time, walltime. + * @return $this + */ + public function limits( array $limits ) { + if ( !isset( $limits['walltime'] ) && isset( $limits['time'] ) ) { + // Emulate the behavior of old wfShellExec() where walltime fell back on time + // if the latter was overridden and the former wasn't + $limits['walltime'] = $limits['time']; + } + $this->limits = $limits + $this->limits; + + return $this; + } + + /** + * Sets environment variables which should be added to the executed command environment + * + * @param string[] $env array of variable name => value + * @return $this + */ + public function environment( array $env ) { + $this->env = $env; + + return $this; + } + + /** + * Sets calling function for profiler. By default, the caller for execute() will be used. + * + * @param string $method + * @return $this + */ + public function profileMethod( $method ) { + $this->method = $method; + + return $this; + } + + /** + * Sends the provided input to the command. + * When set to null (default), the command will use the standard input. + * @param string|null $inputString + * @return $this + */ + public function input( $inputString ) { + $this->inputString = is_null( $inputString ) ? null : (string)$inputString; + + return $this; + } + + /** + * Controls whether stderr should be included in stdout, including errors from limit.sh. + * Default: don't include. + * + * @param bool $yesno + * @return $this + */ + public function includeStderr( $yesno = true ) { + $this->doIncludeStderr = $yesno; + + return $this; + } + + /** + * When enabled, text sent to stderr will be logged with a level of 'error'. + * + * @param bool $yesno + * @return $this + */ + public function logStderr( $yesno = true ) { + $this->doLogStderr = $yesno; + + return $this; + } + + /** + * Sets cgroup for this command + * + * @param string|false $cgroup Absolute file path to the cgroup, or false to not use a cgroup + * @return $this + */ + public function cgroup( $cgroup ) { + $this->cgroup = $cgroup; + + return $this; + } + + /** + * Set additional restrictions for this request + * + * @since 1.31 + * @param int $restrictions + * @return $this + */ + public function restrict( $restrictions ) { + $this->restrictions |= $restrictions; + + return $this; + } + + /** + * Bitfield helper on whether a specific restriction is enabled + * + * @param int $restriction + * + * @return bool + */ + protected function hasRestriction( $restriction ) { + return ( $this->restrictions & $restriction ) === $restriction; + } + + /** + * If called, only the files/directories that are + * whitelisted will be available to the shell command. + * + * limit.sh will always be whitelisted + * + * @param string[] $paths + * + * @return $this + */ + public function whitelistPaths( array $paths ) { + // Default implementation is a no-op + return $this; + } + + /** + * String together all the options and build the final command + * to execute + * + * @param string $command Already-escaped command to run + * @return array [ command, whether to use log pipe ] + */ + protected function buildFinalCommand( $command ) { + $envcmd = ''; + foreach ( $this->env as $k => $v ) { + if ( wfIsWindows() ) { + /* Surrounding a set in quotes (method used by wfEscapeShellArg) makes the quotes themselves + * appear in the environment variable, so we must use carat escaping as documented in + * https://technet.microsoft.com/en-us/library/cc723564.aspx + * Note however that the quote isn't listed there, but is needed, and the parentheses + * are listed there but doesn't appear to need it. + */ + $envcmd .= "set $k=" . preg_replace( '/([&|()<>^"])/', '^\\1', $v ) . '&& '; + } else { + /* Assume this is a POSIX shell, thus required to accept variable assignments before the command + * http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_09_01 + */ + $envcmd .= "$k=" . escapeshellarg( $v ) . ' '; + } + } + + $useLogPipe = false; + $cmd = $envcmd . trim( $command ); + + if ( is_executable( '/bin/bash' ) ) { + $time = intval( $this->limits['time'] ); + $wallTime = intval( $this->limits['walltime'] ); + $mem = intval( $this->limits['memory'] ); + $filesize = intval( $this->limits['filesize'] ); + + if ( $time > 0 || $mem > 0 || $filesize > 0 || $wallTime > 0 ) { + $cmd = '/bin/bash ' . escapeshellarg( __DIR__ . '/limit.sh' ) . ' ' . + escapeshellarg( $cmd ) . ' ' . + escapeshellarg( + "MW_INCLUDE_STDERR=" . ( $this->doIncludeStderr ? '1' : '' ) . ';' . + "MW_CPU_LIMIT=$time; " . + 'MW_CGROUP=' . escapeshellarg( $this->cgroup ) . '; ' . + "MW_MEM_LIMIT=$mem; " . + "MW_FILE_SIZE_LIMIT=$filesize; " . + "MW_WALL_CLOCK_LIMIT=$wallTime; " . + "MW_USE_LOG_PIPE=yes" + ); + $useLogPipe = true; + } + } + if ( !$useLogPipe && $this->doIncludeStderr ) { + $cmd .= ' 2>&1'; + } + + return [ $cmd, $useLogPipe ]; + } + + /** + * Executes command. Afterwards, getExitCode() and getOutput() can be used to access execution + * results. + * + * @return Result + * @throws Exception + * @throws ProcOpenError + * @throws ShellDisabledError + */ + public function execute() { + $this->everExecuted = true; + + $profileMethod = $this->method ?: wfGetCaller(); + + list( $cmd, $useLogPipe ) = $this->buildFinalCommand( $this->command ); + + $this->logger->debug( __METHOD__ . ": $cmd" ); + + // Don't try to execute commands that exceed Linux's MAX_ARG_STRLEN. + // Other platforms may be more accomodating, but we don't want to be + // accomodating, because very long commands probably include user + // input. See T129506. + if ( strlen( $cmd ) > SHELL_MAX_ARG_STRLEN ) { + throw new Exception( __METHOD__ . + '(): total length of $cmd must not exceed SHELL_MAX_ARG_STRLEN' ); + } + + $desc = [ + 0 => $this->inputString === null ? [ 'file', 'php://stdin', 'r' ] : [ 'pipe', 'r' ], + 1 => [ 'pipe', 'w' ], + 2 => [ 'pipe', 'w' ], + ]; + if ( $useLogPipe ) { + $desc[3] = [ 'pipe', 'w' ]; + } + $pipes = null; + $scoped = Profiler::instance()->scopedProfileIn( __FUNCTION__ . '-' . $profileMethod ); + $proc = proc_open( $cmd, $desc, $pipes ); + if ( !$proc ) { + $this->logger->error( "proc_open() failed: {command}", [ 'command' => $cmd ] ); + throw new ProcOpenError(); + } + + $buffers = [ + 0 => $this->inputString, // input + 1 => '', // stdout + 2 => null, // stderr + 3 => '', // log + ]; + $emptyArray = []; + $status = false; + $logMsg = false; + + /* According to the documentation, it is possible for stream_select() + * to fail due to EINTR. I haven't managed to induce this in testing + * despite sending various signals. If it did happen, the error + * message would take the form: + * + * stream_select(): unable to select [4]: Interrupted system call (max_fd=5) + * + * where [4] is the value of the macro EINTR and "Interrupted system + * call" is string which according to the Linux manual is "possibly" + * localised according to LC_MESSAGES. + */ + $eintr = defined( 'SOCKET_EINTR' ) ? SOCKET_EINTR : 4; + $eintrMessage = "stream_select(): unable to select [$eintr]"; + + /* The select(2) system call only guarantees a "sufficiently small write" + * can be made without blocking. And on Linux the read might block too + * in certain cases, although I don't know if any of them can occur here. + * Regardless, set all the pipes to non-blocking to avoid T184171. + */ + foreach ( $pipes as $pipe ) { + stream_set_blocking( $pipe, false ); + } + + $running = true; + $timeout = null; + $numReadyPipes = 0; + + while ( $pipes && ( $running === true || $numReadyPipes !== 0 ) ) { + if ( $running ) { + $status = proc_get_status( $proc ); + // If the process has terminated, switch to nonblocking selects + // for getting any data still waiting to be read. + if ( !$status['running'] ) { + $running = false; + $timeout = 0; + } + } + + // clear get_last_error without actually raising an error + // from http://php.net/manual/en/function.error-get-last.php#113518 + // TODO replace with clear_last_error when requirements are bumped to PHP7 + set_error_handler( function () { + }, 0 ); + // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged + @trigger_error( '' ); + restore_error_handler(); + + $readPipes = wfArrayFilterByKey( $pipes, function ( $fd ) use ( $desc ) { + return $desc[$fd][0] === 'pipe' && $desc[$fd][1] === 'r'; + } ); + $writePipes = wfArrayFilterByKey( $pipes, function ( $fd ) use ( $desc ) { + return $desc[$fd][0] === 'pipe' && $desc[$fd][1] === 'w'; + } ); + // stream_select parameter names are from the POV of us being able to do the operation; + // proc_open desriptor types are from the POV of the process doing it. + // So $writePipes is passed as the $read parameter and $readPipes as $write. + // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged + $numReadyPipes = @stream_select( $writePipes, $readPipes, $emptyArray, $timeout ); + if ( $numReadyPipes === false ) { + $error = error_get_last(); + if ( strncmp( $error['message'], $eintrMessage, strlen( $eintrMessage ) ) == 0 ) { + continue; + } else { + trigger_error( $error['message'], E_USER_WARNING ); + $logMsg = $error['message']; + break; + } + } + foreach ( $writePipes + $readPipes as $fd => $pipe ) { + // True if a pipe is unblocked for us to write into, false if for reading from + $isWrite = array_key_exists( $fd, $readPipes ); + + if ( $isWrite ) { + // Don't bother writing if the buffer is empty + if ( $buffers[$fd] === '' ) { + fclose( $pipes[$fd] ); + unset( $pipes[$fd] ); + continue; + } + $res = fwrite( $pipe, $buffers[$fd], 65536 ); + } else { + $res = fread( $pipe, 65536 ); + } + + if ( $res === false ) { + $logMsg = 'Error ' . ( $isWrite ? 'writing to' : 'reading from' ) . ' pipe'; + break 2; + } + + if ( $res === '' || $res === 0 ) { + // End of file? + if ( feof( $pipe ) ) { + fclose( $pipes[$fd] ); + unset( $pipes[$fd] ); + } + } elseif ( $isWrite ) { + $buffers[$fd] = (string)substr( $buffers[$fd], $res ); + if ( $buffers[$fd] === '' ) { + fclose( $pipes[$fd] ); + unset( $pipes[$fd] ); + } + } else { + $buffers[$fd] .= $res; + if ( $fd === 3 && strpos( $res, "\n" ) !== false ) { + // For the log FD, every line is a separate log entry. + $lines = explode( "\n", $buffers[3] ); + $buffers[3] = array_pop( $lines ); + foreach ( $lines as $line ) { + $this->logger->info( $line ); + } + } + } + } + } + + foreach ( $pipes as $pipe ) { + fclose( $pipe ); + } + + // Use the status previously collected if possible, since proc_get_status() + // just calls waitpid() which will not return anything useful the second time. + if ( $running ) { + $status = proc_get_status( $proc ); + } + + if ( $logMsg !== false ) { + // Read/select error + $retval = -1; + proc_close( $proc ); + } elseif ( $status['signaled'] ) { + $logMsg = "Exited with signal {$status['termsig']}"; + $retval = 128 + $status['termsig']; + proc_close( $proc ); + } else { + if ( $status['running'] ) { + $retval = proc_close( $proc ); + } else { + $retval = $status['exitcode']; + proc_close( $proc ); + } + if ( $retval == 127 ) { + $logMsg = "Possibly missing executable file"; + } elseif ( $retval >= 129 && $retval <= 192 ) { + $logMsg = "Probably exited with signal " . ( $retval - 128 ); + } + } + + if ( $logMsg !== false ) { + $this->logger->warning( "$logMsg: {command}", [ 'command' => $cmd ] ); + } + + if ( $buffers[2] && $this->doLogStderr ) { + $this->logger->error( "Error running {command}: {error}", [ + 'command' => $cmd, + 'error' => $buffers[2], + 'exitcode' => $retval, + 'exception' => new Exception( 'Shell error' ), + ] ); + } + + return new Result( $retval, $buffers[1], $buffers[2] ); + } +} diff --git a/www/wiki/includes/shell/CommandFactory.php b/www/wiki/includes/shell/CommandFactory.php new file mode 100644 index 00000000..b4b9b921 --- /dev/null +++ b/www/wiki/includes/shell/CommandFactory.php @@ -0,0 +1,114 @@ +<?php +/** + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * http://www.gnu.org/copyleft/gpl.html + * + * @file + */ + +namespace MediaWiki\Shell; + +use ExecutableFinder; +use Psr\Log\LoggerAwareTrait; +use Psr\Log\NullLogger; + +/** + * Factory facilitating dependency injection for Command + * + * @since 1.30 + */ +class CommandFactory { + use LoggerAwareTrait; + + /** @var array */ + private $limits; + + /** @var string|bool */ + private $cgroup; + + /** @var bool */ + private $doLogStderr = false; + + /** + * @var string|bool + */ + private $restrictionMethod; + + /** + * @var string|bool + */ + private $firejail; + + /** + * Constructor + * + * @param array $limits See {@see Command::limits()} + * @param string|bool $cgroup See {@see Command::cgroup()} + * @param string|bool $restrictionMethod + */ + public function __construct( array $limits, $cgroup, $restrictionMethod ) { + $this->limits = $limits; + $this->cgroup = $cgroup; + if ( $restrictionMethod === 'autodetect' ) { + // On Linux systems check for firejail + if ( PHP_OS === 'Linux' && $this->findFirejail() !== false ) { + $this->restrictionMethod = 'firejail'; + } else { + $this->restrictionMethod = false; + } + } else { + $this->restrictionMethod = $restrictionMethod; + } + $this->setLogger( new NullLogger() ); + } + + private function findFirejail() { + if ( $this->firejail === null ) { + $this->firejail = ExecutableFinder::findInDefaultPaths( 'firejail' ); + } + + return $this->firejail; + } + + /** + * When enabled, text sent to stderr will be logged with a level of 'error'. + * + * @param bool $yesno + * @see Command::logStderr + */ + public function logStderr( $yesno = true ) { + $this->doLogStderr = $yesno; + } + + /** + * Instantiates a new Command + * + * @return Command + */ + public function create() { + if ( $this->restrictionMethod === 'firejail' ) { + $command = new FirejailCommand( $this->findFirejail() ); + $command->restrict( Shell::RESTRICT_DEFAULT ); + } else { + $command = new Command(); + } + $command->setLogger( $this->logger ); + + return $command + ->limits( $this->limits ) + ->cgroup( $this->cgroup ) + ->logStderr( $this->doLogStderr ); + } +} diff --git a/www/wiki/includes/shell/FirejailCommand.php b/www/wiki/includes/shell/FirejailCommand.php new file mode 100644 index 00000000..d8189304 --- /dev/null +++ b/www/wiki/includes/shell/FirejailCommand.php @@ -0,0 +1,160 @@ +<?php +/** + * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +namespace MediaWiki\Shell; + +use RuntimeException; + +/** + * Restricts execution of shell commands using firejail + * + * @see https://firejail.wordpress.com/ + * @since 1.31 + */ +class FirejailCommand extends Command { + + /** + * @var string Path to firejail + */ + private $firejail; + + /** + * @var string[] + */ + private $whitelistedPaths = []; + + /** + * @param string $firejail Path to firejail + */ + public function __construct( $firejail ) { + parent::__construct(); + $this->firejail = $firejail; + } + + /** + * @inheritDoc + */ + public function whitelistPaths( array $paths ) { + $this->whitelistedPaths = array_merge( $this->whitelistedPaths, $paths ); + return $this; + } + + /** + * @inheritDoc + */ + protected function buildFinalCommand( $command ) { + // If there are no restrictions, don't use firejail + if ( $this->restrictions === 0 ) { + $splitCommand = explode( ' ', $command, 2 ); + $this->logger->debug( + "firejail: Command {$splitCommand[0]} {params} has no restrictions", + [ 'params' => isset( $splitCommand[1] ) ? $splitCommand[1] : '' ] + ); + return parent::buildFinalCommand( $command ); + } + + if ( $this->firejail === false ) { + throw new RuntimeException( 'firejail is enabled, but cannot be found' ); + } + // quiet has to come first to prevent firejail from adding + // any output. + $cmd = [ $this->firejail, '--quiet' ]; + // Use a profile that allows people to add local overrides + // if their system is setup in an incompatible manner. Also it + // prevents any default profiles from running. + // FIXME: Doesn't actually override command-line switches? + $cmd[] = '--profile=' . __DIR__ . '/firejail.profile'; + + // By default firejail hides all other user directories, so if + // MediaWiki is inside a home directory (/home) but not the + // current user's home directory, pass --allusers to whitelist + // the home directories again. + static $useAllUsers = null; + if ( $useAllUsers === null ) { + global $IP; + // In case people are doing funny things with symlinks + // or relative paths, resolve them all. + $realIP = realpath( $IP ); + $currentUser = posix_getpwuid( posix_geteuid() ); + $useAllUsers = ( strpos( $realIP, '/home/' ) === 0 ) + && ( strpos( $realIP, $currentUser['dir'] ) !== 0 ); + if ( $useAllUsers ) { + $this->logger->warning( 'firejail: MediaWiki is located ' . + 'in a home directory that does not belong to the ' . + 'current user, so allowing access to all home ' . + 'directories (--allusers)' ); + } + } + + if ( $useAllUsers ) { + $cmd[] = '--allusers'; + } + + if ( $this->whitelistedPaths ) { + // Always whitelist limit.sh + $cmd[] = '--whitelist=' . __DIR__ . '/limit.sh'; + foreach ( $this->whitelistedPaths as $whitelistedPath ) { + $cmd[] = "--whitelist={$whitelistedPath}"; + } + } + + if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) { + $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE ); + } + + if ( $this->hasRestriction( Shell::NO_ROOT ) ) { + $cmd[] = '--noroot'; + } + + $useSeccomp = $this->hasRestriction( Shell::SECCOMP ); + $extraSeccomp = []; + + if ( $this->hasRestriction( Shell::NO_EXECVE ) ) { + $extraSeccomp[] = 'execve'; + // Normally firejail will run commands in a bash shell, + // but that won't work if we ban the execve syscall, so + // run the command without a shell. + $cmd[] = '--shell=none'; + } + + if ( $useSeccomp ) { + $seccomp = '--seccomp'; + if ( $extraSeccomp ) { + // The "@default" seccomp group will always be enabled + $seccomp .= '=' . implode( ',', $extraSeccomp ); + } + $cmd[] = $seccomp; + } + + if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) { + $cmd[] = '--private-dev'; + } + + if ( $this->hasRestriction( Shell::NO_NETWORK ) ) { + $cmd[] = '--net=none'; + } + + $builtCmd = implode( ' ', $cmd ); + + // Prefix the firejail command in front of the wanted command + return parent::buildFinalCommand( "$builtCmd -- {$command}" ); + } + +} diff --git a/www/wiki/includes/shell/Result.php b/www/wiki/includes/shell/Result.php new file mode 100644 index 00000000..a105cd12 --- /dev/null +++ b/www/wiki/includes/shell/Result.php @@ -0,0 +1,76 @@ +<?php +/** + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * http://www.gnu.org/copyleft/gpl.html + * + * @file + */ + +namespace MediaWiki\Shell; + +/** + * Returned by MediaWiki\Shell\Command::execute() + * + * @since 1.30 + */ +class Result { + /** @var int */ + private $exitCode; + + /** @var string */ + private $stdout; + + /** @var string|null */ + private $stderr; + + /** + * @param int $exitCode + * @param string $stdout + * @param string|null $stderr + */ + public function __construct( $exitCode, $stdout, $stderr = null ) { + $this->exitCode = $exitCode; + $this->stdout = $stdout; + $this->stderr = $stderr; + } + + /** + * Returns exit code of the process + * + * @return int + */ + public function getExitCode() { + return $this->exitCode; + } + + /** + * Returns stdout of the process + * + * @return string + */ + public function getStdout() { + return $this->stdout; + } + + /** + * Returns stderr of the process or null if the Command was configured to add stderr to stdout + * with includeStderr( true ) + * + * @return string|null + */ + public function getStderr() { + return $this->stderr; + } +} diff --git a/www/wiki/includes/shell/Shell.php b/www/wiki/includes/shell/Shell.php new file mode 100644 index 00000000..742e1424 --- /dev/null +++ b/www/wiki/includes/shell/Shell.php @@ -0,0 +1,251 @@ +<?php +/** + * Class used for executing shell commands + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * http://www.gnu.org/copyleft/gpl.html + * + * @file + */ + +namespace MediaWiki\Shell; + +use Hooks; +use MediaWiki\MediaWikiServices; + +/** + * Executes shell commands + * + * @since 1.30 + * + * Use call chaining with this class for expressiveness: + * $result = Shell::command( 'some command' ) + * ->input( 'foo' ) + * ->environment( [ 'ENVIRONMENT_VARIABLE' => 'VALUE' ] ) + * ->limits( [ 'time' => 300 ] ) + * ->execute(); + * + * ... = $result->getExitCode(); + * ... = $result->getStdout(); + * ... = $result->getStderr(); + */ +class Shell { + + /** + * Apply a default set of restrictions for improved + * security out of the box. + * + * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS + * + * @note This value will change over time to provide increased security + * by default, and is not guaranteed to be backwards-compatible. + * @since 1.31 + */ + const RESTRICT_DEFAULT = 39; + + /** + * Disallow any root access. Any setuid binaries + * will be run without elevated access. + * + * @since 1.31 + */ + const NO_ROOT = 1; + + /** + * Use seccomp to block dangerous syscalls + * @see <https://en.wikipedia.org/wiki/seccomp> + * + * @since 1.31 + */ + const SECCOMP = 2; + + /** + * Create a private /dev + * + * @since 1.31 + */ + const PRIVATE_DEV = 4; + + /** + * Restrict the request to have no + * network access + * + * @since 1.31 + */ + const NO_NETWORK = 8; + + /** + * Deny execve syscall with seccomp + * @see <https://en.wikipedia.org/wiki/exec_(system_call)> + * + * @since 1.31 + */ + const NO_EXECVE = 16; + + /** + * Deny access to LocalSettings.php (MW_CONFIG_FILE) + * + * @since 1.31 + */ + const NO_LOCALSETTINGS = 32; + + /** + * Don't apply any restrictions + * + * @since 1.31 + */ + const RESTRICT_NONE = 0; + + /** + * Returns a new instance of Command class + * + * @param string|string[] $command String or array of strings representing the command to + * be executed, each value will be escaped. + * Example: [ 'convert', '-font', 'font name' ] would produce "'convert' '-font' 'font name'" + * @return Command + */ + public static function command( $command ) { + $args = func_get_args(); + if ( count( $args ) === 1 && is_array( reset( $args ) ) ) { + // If only one argument has been passed, and that argument is an array, + // treat it as a list of arguments + $args = reset( $args ); + } + $command = MediaWikiServices::getInstance() + ->getShellCommandFactory() + ->create(); + + return $command->params( $args ); + } + + /** + * Check if this class is effectively disabled via php.ini config + * + * @return bool + */ + public static function isDisabled() { + static $disabled = null; + + if ( is_null( $disabled ) ) { + if ( !function_exists( 'proc_open' ) ) { + wfDebug( "proc_open() is disabled\n" ); + $disabled = true; + } else { + $disabled = false; + } + } + + return $disabled; + } + + /** + * Version of escapeshellarg() that works better on Windows. + * + * Originally, this fixed the incorrect use of single quotes on Windows + * (https://bugs.php.net/bug.php?id=26285) and the locale problems on Linux in + * PHP 5.2.6+ (bug backported to earlier distro releases of PHP). + * + * @param string $args,... strings to escape and glue together, or a single array of + * strings parameter. Null values are ignored. + * @return string + */ + public static function escape( /* ... */ ) { + $args = func_get_args(); + if ( count( $args ) === 1 && is_array( reset( $args ) ) ) { + // If only one argument has been passed, and that argument is an array, + // treat it as a list of arguments + $args = reset( $args ); + } + + $first = true; + $retVal = ''; + foreach ( $args as $arg ) { + if ( $arg === null ) { + continue; + } + if ( !$first ) { + $retVal .= ' '; + } else { + $first = false; + } + + if ( wfIsWindows() ) { + // Escaping for an MSVC-style command line parser and CMD.EXE + // Refs: + // * https://web.archive.org/web/20020708081031/http://mailman.lyra.org/pipermail/scite-interest/2002-March/000436.html + // * https://technet.microsoft.com/en-us/library/cc723564.aspx + // * T15518 + // * CR r63214 + // Double the backslashes before any double quotes. Escape the double quotes. + $tokens = preg_split( '/(\\\\*")/', $arg, -1, PREG_SPLIT_DELIM_CAPTURE ); + $arg = ''; + $iteration = 0; + foreach ( $tokens as $token ) { + if ( $iteration % 2 == 1 ) { + // Delimiter, a double quote preceded by zero or more slashes + $arg .= str_replace( '\\', '\\\\', substr( $token, 0, -1 ) ) . '\\"'; + } elseif ( $iteration % 4 == 2 ) { + // ^ in $token will be outside quotes, need to be escaped + $arg .= str_replace( '^', '^^', $token ); + } else { // $iteration % 4 == 0 + // ^ in $token will appear inside double quotes, so leave as is + $arg .= $token; + } + $iteration++; + } + // Double the backslashes before the end of the string, because + // we will soon add a quote + $m = []; + if ( preg_match( '/^(.*?)(\\\\+)$/', $arg, $m ) ) { + $arg = $m[1] . str_replace( '\\', '\\\\', $m[2] ); + } + + // Add surrounding quotes + $retVal .= '"' . $arg . '"'; + } else { + $retVal .= escapeshellarg( $arg ); + } + } + return $retVal; + } + + /** + * Generate a Command object to run a MediaWiki CLI script. + * Note that $parameters should be a flat array and an option with an argument + * should consist of two consecutive items in the array (do not use "--option value"). + * + * @param string $script MediaWiki CLI script with full path + * @param string[] $parameters Arguments and options to the script + * @param array $options Associative array of options: + * 'php': The path to the php executable + * 'wrapper': Path to a PHP wrapper to handle the maintenance script + * @return Command + */ + public static function makeScriptCommand( $script, $parameters, $options = [] ) { + global $wgPhpCli; + // Give site config file a chance to run the script in a wrapper. + // The caller may likely want to call wfBasename() on $script. + Hooks::run( 'wfShellWikiCmd', [ &$script, &$parameters, &$options ] ); + $cmd = isset( $options['php'] ) ? [ $options['php'] ] : [ $wgPhpCli ]; + if ( isset( $options['wrapper'] ) ) { + $cmd[] = $options['wrapper']; + } + $cmd[] = $script; + + return self::command( $cmd ) + ->params( $parameters ) + ->restrict( self::RESTRICT_DEFAULT & ~self::NO_LOCALSETTINGS ); + } +} diff --git a/www/wiki/includes/shell/firejail.profile b/www/wiki/includes/shell/firejail.profile new file mode 100644 index 00000000..07f059ba --- /dev/null +++ b/www/wiki/includes/shell/firejail.profile @@ -0,0 +1,7 @@ +# Firejail profile used by MediaWiki when shelling out +# See <https://firejail.wordpress.com/features-3/man-firejail-profile/> for +# syntax documentation +# Persistent local customizations +include /etc/firejail/mediawiki.local +# Persistent global definitions +include /etc/firejail/globals.local diff --git a/www/wiki/includes/shell/limit.sh b/www/wiki/includes/shell/limit.sh new file mode 100755 index 00000000..d71e6603 --- /dev/null +++ b/www/wiki/includes/shell/limit.sh @@ -0,0 +1,122 @@ +#!/bin/bash +# +# Resource limiting wrapper for command execution +# +# Why is this in shell script? Because bash has a setrlimit() wrapper +# and is available on most Linux systems. If Perl was distributed with +# BSD::Resource included, we would happily use that instead, but it isn't. + +# Clean up cgroup +cleanup() { + # First we have to move the current task into a "garbage" group, otherwise + # the cgroup will not be empty, and attempting to remove it will fail with + # "Device or resource busy" + if [ -w "$MW_CGROUP"/tasks ]; then + GARBAGE="$MW_CGROUP" + else + GARBAGE="$MW_CGROUP"/garbage-`id -un` + if [ ! -e "$GARBAGE" ]; then + mkdir -m 0700 "$GARBAGE" + fi + fi + echo $BASHPID > "$GARBAGE"/tasks + + # Suppress errors in case the cgroup has disappeared due to a release script + rmdir "$MW_CGROUP"/$$ 2>/dev/null +} + +updateTaskCount() { + # There are lots of ways to count lines in a file in shell script, but this + # is one of the few that doesn't create another process, which would + # increase the returned number of tasks. + readarray < "$MW_CGROUP"/$$/tasks + NUM_TASKS=${#MAPFILE[*]} +} + +log() { + echo limit.sh: "$*" >&3 + echo limit.sh: "$*" >&2 +} + +MW_INCLUDE_STDERR= +MW_USE_LOG_PIPE= +MW_CPU_LIMIT=0 +MW_CGROUP= +MW_MEM_LIMIT=0 +MW_FILE_SIZE_LIMIT=0 +MW_WALL_CLOCK_LIMIT=0 + +# Override settings +eval "$2" + +if [ -n "$MW_INCLUDE_STDERR" ]; then + exec 2>&1 +fi +if [ -z "$MW_USE_LOG_PIPE" ]; then + # Open a dummy log FD + exec 3>/dev/null +fi + +if [ "$MW_CPU_LIMIT" -gt 0 ]; then + ulimit -t "$MW_CPU_LIMIT" +fi +if [ "$MW_MEM_LIMIT" -gt 0 ]; then + if [ -n "$MW_CGROUP" ]; then + # Create cgroup + if ! mkdir -m 0700 "$MW_CGROUP"/$$; then + log "failed to create the cgroup." + MW_CGROUP="" + fi + fi + if [ -n "$MW_CGROUP" ]; then + echo $$ > "$MW_CGROUP"/$$/tasks + if [ -n "$MW_CGROUP_NOTIFY" ]; then + echo "1" > "$MW_CGROUP"/$$/notify_on_release + fi + # Memory + echo $(($MW_MEM_LIMIT*1024)) > "$MW_CGROUP"/$$/memory.limit_in_bytes + # Memory+swap + # This will be missing if there is no swap + if [ -e "$MW_CGROUP"/$$/memory.memsw.limit_in_bytes ]; then + echo $(($MW_MEM_LIMIT*1024)) > "$MW_CGROUP"/$$/memory.memsw.limit_in_bytes + fi + else + ulimit -v "$MW_MEM_LIMIT" + fi +else + MW_CGROUP="" +fi +if [ "$MW_FILE_SIZE_LIMIT" -gt 0 ]; then + ulimit -f "$MW_FILE_SIZE_LIMIT" +fi +if [ "$MW_WALL_CLOCK_LIMIT" -gt 0 -a -x "/usr/bin/timeout" ]; then + /usr/bin/timeout $MW_WALL_CLOCK_LIMIT /bin/bash -c "$1" 3>&- + STATUS="$?" + if [ "$STATUS" == 124 ]; then + log "timed out executing command \"$1\"" + fi +else + eval "$1" 3>&- + STATUS="$?" +fi + +if [ -n "$MW_CGROUP" ]; then + updateTaskCount + + if [ $NUM_TASKS -gt 1 ]; then + # Spawn a monitor process which will continue to poll for completion + # of all processes in the cgroup after termination of the parent shell + ( + while [ $NUM_TASKS -gt 1 ]; do + sleep 10 + updateTaskCount + done + cleanup + ) >&/dev/null < /dev/null 3>&- & + disown -a + else + cleanup + fi +fi +exit "$STATUS" + |