SecureContext/src/sandbox.ts at main · iampantherr/SecureContext · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
import { spawn, spawnSync } from "node:child_process";
import { Config } from "./config.js";

// Security constants come from Config — single source of truth
const TIMEOUT_MS  = Config.SANDBOX_TIMEOUT_MS;
const STDOUT_CAP  = Config.SANDBOX_STDOUT_CAP;
const STDERR_CAP  = Config.SANDBOX_STDERR_CAP;
const TRUNCATION_MARKER = "\n[OUTPUT TRUNCATED — exceeded size limit]";

export interface SandboxResult {
  stdout:    string;
  stderr:    string;
  exitCode:  number | null;
  timedOut:  boolean;
  truncated: boolean;
}

// SECURITY: Only PATH is passed — zero credential variables.
// This prevents any code run in the sandbox from reading GH_TOKEN,
// AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY, or any other env credentials.
const SAFE_ENV: Record<string, string> = { PATH: process.env["PATH"] ?? "/usr/bin:/bin" };

// On Windows, python3 is often a Microsoft Store redirect stub that fails silently.
// Detect the correct Python binary once at startup.
const PYTHON_CMD: string = (() => {
  if (process.platform === "win32") {
    const test = spawnSync("python", ["--version"], {
      env:     SAFE_ENV,
      timeout: 5_000,
      stdio:   "ignore",
    });
    if (test.status === 0 && !test.error) return "python";
  }
  return "python3";
})();

// SECURITY: All code is delivered via stdin, not as a command-line argument.
// Prevents: (1) ENAMETOOLONG crash on long code, (2) code leaking into process list.
const INTERPRETERS: Record<string, readonly string[]> = {
  python:     [PYTHON_CMD],
  python3:    [PYTHON_CMD],
  javascript: ["node", "--input-type=module"],
  js:         ["node", "--input-type=module"],
  bash:       ["bash"],
  sh:         ["bash"],
};

function cap(buf: Buffer, limit: number): { text: string; truncated: boolean } {
  if (buf.length <= limit) return { text: buf.toString("utf8"), truncated: false };
  return { text: buf.subarray(0, limit).toString("utf8") + TRUNCATION_MARKER, truncated: true };
}

// SECURITY: Kill the entire process tree, not just the direct child.
function killProcessTree(child: ReturnType<typeof spawn>): void {
  if (!child.pid) return;
  try {
    if (process.platform === "win32") {
      spawnSync("taskkill", ["/pid", String(child.pid), "/T", "/F"], {
        stdio:   "ignore",
        timeout: 5_000,
      });
    } else {
      process.kill(-child.pid, "SIGKILL");
    }
  } catch {
    try { child.kill("SIGKILL"); } catch {}
  }
}

export async function runInSandbox(
  language: string,
  code: string
): Promise<SandboxResult> {
  const interp = INTERPRETERS[language.toLowerCase()];
  if (!interp) {
    return {
      stdout: "",
      stderr: `Unsupported language: ${language}. Supported: ${Object.keys(INTERPRETERS).join(", ")}`,
      exitCode: 1,
      timedOut: false,
      truncated: false,
    };
  }

  // SECURITY: sanitize null bytes — Node throws ERR_INVALID_ARG_VALUE on \x00 in args
  const safeCode = code.replace(/\x00/g, "\\x00");

  const cmd       = interp[0]!;
  const fixedArgs = interp.slice(1) as string[];

  return new Promise((resolve) => {
    const chunks: { out: Buffer[]; err: Buffer[] } = { out: [], err: [] };
    let outLen    = 0;
    let errLen    = 0;
    let truncated = false;
    let timedOut  = false;
    let settled   = false; // guard: promise resolves exactly once

    function settle(result: SandboxResult): void {
      if (settled) return;
      settled = true;
      resolve(result);
    }

    const child = spawn(cmd, fixedArgs, {
      env:      SAFE_ENV,
      stdio:    ["pipe", "pipe", "pipe"],
      shell:    false, // SECURITY: never shell:true (prevents shell injection)
      detached: process.platform !== "win32", // create process group for killProcessTree
    });

    const timer = setTimeout(() => {
      timedOut = true;
      killProcessTree(child);

      // Node 22 exits with code 13 ("unsettled top-level await") if the event loop
      // drains while a top-level promise is still pending. After killing the child,
      // the `close` event may fire async — but if killProcessTree fails (child already
      // dead, PID not found, etc.) the close event might never come.
      // Resolve immediately on timeout so the event loop is never left dangling.
      // A second `settle` call from the close event is safely ignored.
      const outBuf = Buffer.concat(chunks.out);
      const errBuf = Buffer.concat(chunks.err);
      settle({
        stdout:    cap(outBuf, STDOUT_CAP).text,
        stderr:    cap(errBuf, STDERR_CAP).text,
        exitCode:  null,
        timedOut:  true,
        truncated: truncated || outBuf.length > STDOUT_CAP,
      });
    }, TIMEOUT_MS);

    child.stdout?.on("data", (chunk: Buffer) => {
      if (outLen < STDOUT_CAP) {
        chunks.out.push(chunk);
        outLen += chunk.length;
      } else {
        truncated = true;
      }
    });

    child.stderr?.on("data", (chunk: Buffer) => {
      if (errLen < STDERR_CAP) {
        chunks.err.push(chunk);
        errLen += chunk.length;
      }
    });

    if (child.stdin) {
      child.stdin.write(safeCode, "utf8");
      child.stdin.end();
    }

    // unref so the child doesn't keep the event loop alive after settle() resolves the promise
    child.unref();

    child.on("close", (code) => {
      clearTimeout(timer);
      const outBuf = Buffer.concat(chunks.out);
      const errBuf = Buffer.concat(chunks.err);
      const out    = cap(outBuf, STDOUT_CAP);
      const err    = cap(errBuf, STDERR_CAP);

      settle({
        stdout:    out.text,
        stderr:    err.text,
        exitCode:  code,
        timedOut,
        truncated: truncated || out.truncated || err.truncated,
      });
    });
  });
}

/**
 * Run analysis code against a specific file.
 *
 * Gap 8 fix: TARGET_FILE is delivered via stdin as part of the code string,
 * NOT injected as an env variable or command-line argument. This prevents
 * the file path from appearing in the process argument list (ps aux).
 *
 * The analysis code receives TARGET_FILE as a Python variable set before it runs.
 */
export async function runFileInSandbox(
  filePath: string,
  language: string,
  analysisCode: string
): Promise<SandboxResult> {
  // SECURITY: Deliver TARGET_FILE via stdin (part of the code string), not env or args.
  // JSON.stringify safely escapes backslashes, quotes, and special chars in the path.
  const wrappedCode = `TARGET_FILE = ${JSON.stringify(filePath)}\n${analysisCode}`;
  return runInSandbox(language, wrappedCode);
}