Run evaluation of inlined quotes in secured sandbox

Author: nicolasstucki

compiler/src/dotty/tools/dotc/transform/Splicer.scala

@@ -6,6 +6,7 @@ import dotty.tools.dotc.core.Contexts._
 import dotty.tools.dotc.core.Decorators._
 import dotty.tools.dotc.core.quoted._
 import dotty.tools.dotc.interpreter._
+import dotty.tools.dotc.util.Sandbox
 
 import scala.util.control.NonFatal
 
@@ -28,7 +29,7 @@ object Splicer {
   private def reflectiveSplice(tree: Tree)(implicit ctx: Context): Tree = {
     val interpreter = new Interpreter
     val interpreted =
-      try interpreter.interpretTree[scala.quoted.Expr[_]](tree)
+      try Sandbox.runInSecuredThread(interpreter.interpretTree[scala.quoted.Expr[_]](tree))
       catch { case ex: InvocationTargetException => handleTargetException(tree, ex); None }
     interpreted.fold(tree)(PickledQuotes.quotedExprToTree)
   }

compiler/src/dotty/tools/dotc/util/Sandbox.scala

@@ -0,0 +1,104 @@
+package dotty.tools.dotc.util
+
+
+import java.lang.reflect.{InvocationTargetException, ReflectPermission}
+import java.security.Permission
+
+import scala.quoted.QuoteError
+
+object Sandbox {
+
+  /** Timeout in milliseconds */
+  final val timeout = 3000 // TODO add a flag to allow custom timeouts
+
+  def runInSecuredThread[T](thunk: => T): T = {
+    runWithSandboxSecurityManager { securityManager =>
+      class SandboxThread extends Thread {
+        var result: scala.util.Try[T] =
+          scala.util.Failure(new Exception("Sandbox failed with a fatal error"))
+        override def run(): Unit = {
+          result = scala.util.Try {
+            securityManager.enable() // Enable security manager on this thread
+            thunk
+          }
+        }
+      }
+      val thread = new SandboxThread
+      thread.start()
+      thread.join(timeout)
+      if (thread.isAlive) {
+        // TODO kill the thread?
+        throw new InvocationTargetException(new QuoteError(s"Failed to evaluate inlined quote. Caused by timeout ($timeout ms)."))
+      } else thread.result.fold[T](throw _, identity)
+    }
+  }
+
+  private def runWithSandboxSecurityManager[T](run: SandboxSecurityManager => T): T = {
+    val ssm: SandboxSecurityManager = synchronized {
+      System.getSecurityManager match {
+        case ssm: SandboxSecurityManager =>
+          assert(ssm.running > 0)
+          ssm.running += 1
+          ssm
+        case sm =>
+          assert(sm == null)
+          val ssm = new SandboxSecurityManager
+          System.setSecurityManager(ssm)
+          ssm
+      }
+    }
+    try run(ssm)
+    finally synchronized {
+      ssm.running -= 1
+      assert(ssm.running >= 0)
+      if (ssm.running == 0) {
+        assert(System.getSecurityManager eq ssm)
+        System.setSecurityManager(null)
+      }
+    }
+  }
+
+  /** A security manager that can be enabled on individual threads.
+   *
+   *  Inspired by https://github.com/alphaloop/selective-security-manager
+   */
+  private class SandboxSecurityManager extends SecurityManager {
+
+    @volatile private[Sandbox] var running: Int = 1
+
+    private[this] val enabledFlag: ThreadLocal[Boolean] = new ThreadLocal[Boolean]() {
+      override protected def initialValue(): Boolean = false
+    }
+
+    def enable(): Unit = {
+      enabledFlag.set(true)
+    }
+
+    override def checkPermission(permission: Permission): Unit = {
+      if (enabledFlag.get()) {
+        permission match {
+          case _: ReflectPermission =>
+            // allow reflection, needed for interpreter
+            // TODO restrict more?
+          case _ if isClassLoading =>
+            // allow any permission in the class loader
+          case _ => super.checkPermission(permission)
+        }
+      }
+    }
+
+    override def checkPermission(permission: Permission, context: Object): Unit = {
+      if (enabledFlag.get())
+        super.checkPermission(permission, context)
+    }
+
+    private def isClassLoading: Boolean = {
+      try {
+        enabledFlag.set(false) // Disable security do the check
+        Thread.currentThread().getStackTrace.exists(elem => elem.getClassName == "java.lang.ClassLoader")
+      } finally {
+        enabledFlag.set(true)
+      }
+    }
+  }
+}

tests/neg/quote-security-1/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    System.setSecurityManager(null)
+    '(1)
+  }
+}

tests/neg/quote-security-1/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setSecurityManager")
+  }
+}

tests/neg/quote-security-2/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    (new File("dfsdafsd")).exists()
+    '(1)
+  }
+}

tests/neg/quote-security-2/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: access denied ("java.util.PropertyPermission" "user.dir" "read")
+  }
+}

tests/neg/quote-security-3/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    (new File("dfsdafsd")).createNewFile()
+    '(1)
+  }
+}

tests/neg/quote-security-3/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: access denied ("java.util.PropertyPermission" "user.dir" "read")
+  }
+}

tests/neg/quote-timeout/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    while (true) ()
+    '(1)
+  }
+}

tests/neg/quote-timeout/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by timeout (3000 ms).
+  }
+}