Run evaluation of inlined quotes in secured sandbox

Author: nicolasstucki

compiler/src/dotty/tools/dotc/transform/Splicer.scala

@@ -6,6 +6,7 @@ import dotty.tools.dotc.core.Contexts._
 import dotty.tools.dotc.core.Decorators._
 import dotty.tools.dotc.core.quoted._
 import dotty.tools.dotc.interpreter._
+import dotty.tools.dotc.util.Sandbox
 
 import scala.util.control.NonFatal
 
@@ -28,7 +29,7 @@ object Splicer {
   private def reflectiveSplice(tree: Tree)(implicit ctx: Context): Tree = {
     val interpreter = new Interpreter
     val interpreted =
-      try interpreter.interpretTree[scala.quoted.Expr[_]](tree)
+      try Sandbox.runInSecuredThread(interpreter.interpretTree[scala.quoted.Expr[_]](tree))
       catch { case ex: InvocationTargetException => handleTargetException(tree, ex); None }
     interpreted.fold(tree)(PickledQuotes.quotedExprToTree)
   }

compiler/src/dotty/tools/dotc/util/Sandbox.scala

@@ -0,0 +1,80 @@
+package dotty.tools.dotc.util
+
+import java.io.FilePermission
+import java.lang.reflect.{InvocationTargetException, ReflectPermission}
+import java.security.Permission
+
+import scala.quoted.QuoteError
+
+object Sandbox {
+
+  /** Timeout in milliseconds */
+  final val timeout = 3000 // TODO add a flag to allow custom timeouts
+
+  def runInSecuredThread[T](thunk: => T): T = {
+    // Implementation assumes single threaded
+    val oldSecurityManager = System.getSecurityManager
+    try {
+      val securityManager = new SandboxSecurityManager
+      System.setSecurityManager(securityManager)
+      class SandboxThread extends Thread {
+        var result: scala.util.Try[T] =
+          scala.util.Failure(new Exception("Sandbox failed with a fatal error"))
+        override def run(): Unit = {
+          result = scala.util.Try {
+            securityManager.enable() // Enable security manager on this thread
+            thunk
+          }
+        }
+      }
+      val thread = new SandboxThread
+      thread.start()
+      thread.join(timeout)
+      if (thread.isAlive) {
+        // TODO kill the thread?
+        throw new InvocationTargetException(new QuoteError(s"Failed to evaluate inlined quote. Caused by timeout ($timeout ms)."))
+      } else thread.result.fold[T](throw _, identity)
+    } finally {
+      System.setSecurityManager(oldSecurityManager)
+    }
+  }
+
+  private class SandboxSecurityManager extends SecurityManager {
+    private[this] val enabledFlag: ThreadLocal[Boolean] = new ThreadLocal[Boolean]() {
+      override protected def initialValue(): Boolean = false
+    }
+
+    def enable(): Unit = {
+      enabledFlag.set(true)
+    }
+
+    override def checkPermission(permission: Permission): Unit = {
+      if (enabledFlag.get()) {
+        permission match {
+          case permission: FilePermission if permission.getActions == "read" && isClassLoading =>
+            // allow file reads in the class loader
+          case _: RuntimePermission if isClassLoading =>
+            // allow runtime permission in the class loader
+          case _: ReflectPermission =>
+            // allow reflection, needed for interpreter
+            // TODO restrict more?
+          case _ => super.checkPermission(permission)
+        }
+      }
+    }
+
+    override def checkPermission(permission: Permission, context: Object): Unit = {
+      if (enabledFlag.get())
+        super.checkPermission(permission, context)
+    }
+
+    private def isClassLoading: Boolean = {
+      try {
+        enabledFlag.set(false) // Disable security do the check
+        Thread.currentThread().getStackTrace.exists(elem => elem.getClassName == "java.lang.ClassLoader")
+      } finally {
+        enabledFlag.set(true)
+      }
+    }
+  }
+}

tests/neg/quote-security-1/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    System.setSecurityManager(null)
+    '(1)
+  }
+}

tests/neg/quote-security-1/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setSecurityManager")
+  }
+}

tests/neg/quote-security-2/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    (new File("dfsdafsd")).exists()
+    '(1)
+  }
+}

tests/neg/quote-security-2/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: access denied ("java.util.PropertyPermission" "user.dir" "read")
+  }
+}

tests/neg/quote-security-3/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    (new File("dfsdafsd")).createNewFile()
+    '(1)
+  }
+}

tests/neg/quote-security-3/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by: access denied ("java.util.PropertyPermission" "user.dir" "read")
+  }
+}

tests/neg/quote-timeout/Macro_1.scala

@@ -0,0 +1,10 @@
+import java.io.File
+
+import scala.quoted._
+object Macros {
+  inline def foo(): Int = ~fooImpl()
+  def fooImpl(): Expr[Int] = {
+    while (true) ()
+    '(1)
+  }
+}

tests/neg/quote-timeout/Test_2.scala

@@ -0,0 +1,6 @@
+import Macros._
+object Test {
+  def main(args: Array[String]): Unit = {
+    Macros.foo() // error: Failed to evaluate inlined quote. Caused by timeout (3000 ms).
+  }
+}