Some quick small fixes

l0go · Jul 1, 2024 · fb6cca8 · fb6cca8
1 parent 2713eb6
commit fb6cca8
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/Containerfile b/Containerfile
@@ -12,6 +12,7 @@ RUN useradd runner
 RUN haxelib setup /var/haxelib
 RUN mkdir /var/haxe
 RUN chmod 755 /var/haxe
+RUN chmod 755 /var/haxelib
 WORKDIR /app/
 COPY params.hxml /home/runner/params.hxml
 COPY --from=build /app/src/bin/main.js ./

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ Once upon a time there was a man who made a chatbot that ran arbitrary Haxe code
 1. Install Podman, it is included on Fedora Server installs and presumably most RHEL-based distros
 2. Run the magic command to download and run the container:
 ```bash
-podman run --rm -p=1337:1111 --mount type=tmpfs,destination=/var/haxelib,tmpfs-size=500000000 --read-only haxesandbox:latest
+podman run --rm -p=1337:1111 --mount type=tmpfs,destination=/var/haxelib,tmpfs-size=500000000 --mount type=tmpfs,destination=/var/haxe,tmpfs-size=500000000 --read-only --read-only-tmpfs=False ghcr.io/l0go/haxesandbox:latest
 ```
 - Alternatively if you wish to run the container on server boot, you can utilize systemd's Quadlet feature. Just copy ``etc/haxesandbox.container`` in this repository to ``/etc/containers/systemd/`` and run ``systemctl daemon-reload``. This will generate a systemd service.
 3. Send a request to the server

diff --git a/etc/haxesandbox.container b/etc/haxesandbox.container
@@ -4,8 +4,10 @@ Description=Use podman to run untrusted Haxe code in a read-only container
 [Container]
 Image=ghcr.io/l0go/haxesandbox:latest
 ReadOnly=true
+ReadOnlyTmpfs=false
 PublishPort=1337:1111
 Mount=type=tmpfs,destination=/var/haxelib,tmpfs-size=500000000
+Mount=type=tmpfs,destination=/var/haxe,tmpfs-size=500000000
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/Main.hx b/src/Main.hx
@@ -42,17 +42,16 @@ class Main {
 
 					switch (body.action) {
 						case Run:
-							var r: Response;
 							if (body.action != Run) throw "Invalid Action";
 							runHaxe(body.input, body.hxml ?? "", (output) -> {
-								r = {
+								final r = {
 									status: Ok,
 									output: output,
 								}
 								sendResponse(response, r);
 								resolve(response);
 							}, (error) -> {
-								r = {
+								final r = {
 									status: OhNo,
 									error: error,
 								};
@@ -61,9 +60,12 @@ class Main {
 							});
 						case HaxelibRun:
 							ChildProcess.exec("haxelib " + body.input, null, (_, stdout, stderr) -> {
-								var r: Response = {
-									status: stderr != "" ? Ok : OhNo,
+								var r: Response = if (stderr.trim() == "") {
+									status: Ok,
 									output: (cast stdout : js.node.Buffer).toString(),
+								} else {
+									status: OhNo,
+									error: (cast stderr : js.node.Buffer).toString(),
 								};
 								sendResponse(response, r);
 								resolve(response);
@@ -104,7 +106,7 @@ class Main {
 
 		ChildProcess.exec('runuser -l $user -c "haxe params.hxml $hxml -cp $dir"', {timeout: 10000}, (error, stdout, stderr) -> {
 			if (error?.signal == "SIGTERM") onError("Timed out, try again");
-			if (stderr != "") onError((cast stderr : js.node.Buffer).toString());
+			if (stderr.trim() != "") onError((cast stderr : js.node.Buffer).toString());
 			else onOutput((cast stdout : js.node.Buffer).toString());
 			ChildProcess.exec('rm -rf $dir', null, null);
 		});