Run evaluation of inlined quotes in secured sandbox

Author: nicolasstucki

compiler/src/dotty/tools/dotc/transform/Splicer.scala

@@ -3,7 +3,6 @@ package transform
 
 import java.io.{PrintWriter, StringWriter}
 import java.lang.reflect.Method
-import java.net.URLClassLoader
 
 import dotty.tools.dotc.ast.tpd
 import dotty.tools.dotc.core.Contexts._
@@ -14,6 +13,7 @@ import dotty.tools.dotc.core.Names.Name
 import dotty.tools.dotc.core.quoted._
 import dotty.tools.dotc.core.Types._
 import dotty.tools.dotc.core.Symbols._
+import dotty.tools.dotc.util.Sandbox
 
 import scala.util.control.NonFatal
 import dotty.tools.dotc.util.Positions.Position
@@ -73,8 +73,10 @@ object Splicer {
   }
 
   private def evaluateLambda(lambda: Seq[Any] => Object, args: Seq[Any], pos: Position)(implicit ctx: Context): Option[scala.quoted.Expr[Nothing]] = {
-    try Some(lambda(args).asInstanceOf[scala.quoted.Expr[Nothing]])
-    catch {
+    try {
+      val res = Sandbox.runInSecuredThread(lambda(args))
+      Some(res.asInstanceOf[scala.quoted.Expr[Nothing]])
+    } catch {
       case ex: scala.quoted.QuoteError =>
         ctx.error(ex.getMessage, pos)
         None

compiler/src/dotty/tools/dotc/util/Sandbox.scala

@@ -0,0 +1,104 @@
+package dotty.tools.dotc.util
+
+
+import java.lang.reflect.{InvocationTargetException, ReflectPermission}
+import java.security.Permission
+
+import scala.quoted.QuoteError
+
+object Sandbox {
+
+  /** Timeout in milliseconds */
+  final val timeout = 3000 // TODO add a flag to allow custom timeouts
+
+  def runInSecuredThread[T](thunk: => T): T = {
+    runWithSandboxSecurityManager { securityManager =>
+      class SandboxThread extends Thread {
+        var result: scala.util.Try[T] =
+          scala.util.Failure(new Exception("Sandbox failed with a fatal error"))
+        override def run(): Unit = {
+          result = scala.util.Try {
+            securityManager.enable() // Enable security manager on this thread
+            thunk
+          }
+        }
+      }
+      val thread = new SandboxThread
+      thread.start()
+      thread.join(timeout)
+      if (thread.isAlive) {
+        // TODO kill the thread?
+        throw new InvocationTargetException(new QuoteError(s"Failed to evaluate inlined quote. Caused by timeout ($timeout ms)."))
+      } else thread.result.fold[T](throw _, identity)
+    }
+  }
+
+  private def runWithSandboxSecurityManager[T](run: SandboxSecurityManager => T): T = {
+    val ssm: SandboxSecurityManager = synchronized {
+      System.getSecurityManager match {
+        case ssm: SandboxSecurityManager =>
+          assert(ssm.running > 0)
+          ssm.running += 1
+          ssm
+        case sm =>
+          assert(sm == null)
+          val ssm = new SandboxSecurityManager
+          System.setSecurityManager(ssm)
+          ssm
+      }
+    }
+    try run(ssm)
+    finally synchronized {
+      ssm.running -= 1
+      assert(ssm.running >= 0)
+      if (ssm.running == 0) {
+        assert(System.getSecurityManager eq ssm)
+        System.setSecurityManager(null)
+      }
+    }
+  }
+
+  /** A security manager that can be enabled on individual threads.
+   *
+   *  Inspired by https://github.com/alphaloop/selective-security-manager
+   */
+  private class SandboxSecurityManager extends SecurityManager {
+
+    @volatile private[Sandbox] var running: Int = 1
+
+    private[this] val enabledFlag: ThreadLocal[Boolean] = new ThreadLocal[Boolean]() {
+      override protected def initialValue(): Boolean = false
+    }
+
+    def enable(): Unit = {
+      enabledFlag.set(true)
+    }
+
+    override def checkPermission(permission: Permission): Unit = {
+      if (enabledFlag.get()) {
+        permission match {
+          case _: ReflectPermission =>
+            // allow reflection, needed for interpreter
+            // TODO restrict more?
+          case _ if isClassLoading =>
+            // allow any permission in the class loader
+          case _ => super.checkPermission(permission)
+        }
+      }
+    }
+
+    override def checkPermission(permission: Permission, context: Object): Unit = {
+      if (enabledFlag.get())
+        super.checkPermission(permission, context)
+    }
+
+    private def isClassLoading: Boolean = {
+      try {
+        enabledFlag.set(false) // Disable security to do the check
+        Thread.currentThread().getStackTrace.exists(elem => elem.getClassName == "java.lang.ClassLoader")
+      } finally {
+        enabledFlag.set(true)
+      }
+    }
+  }
+}

tests/neg/quote-security-1/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    System.setSecurityManager(null)
+    '(1)
+  }
+}

tests/neg/quote-security-1/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setSecurityManager")
+  }
+}

tests/neg/quote-security-2/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    (new File("dfsdafsd")).exists()
+    '(1)
+  }
+}

tests/neg/quote-security-2/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: access denied ("java.util.PropertyPermission" "user.dir" "read")
+  }
+}

tests/neg/quote-security-3/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    (new File("dfsdafsd")).createNewFile()
+    '(1)
+  }
+}

tests/neg/quote-security-3/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: access denied ("java.util.PropertyPermission" "user.dir" "read")
+  }
+}

tests/neg/quote-timeout/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    while (true) ()
+    '(1)
+  }
+}

tests/neg/quote-timeout/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by timeout (3000 ms).
+  }
+}