Feature request: Limit script execution time
andreisobchuck opened this issue · 5 comments
It is possible to do DoS attack by writing malicious script which will consume CPU.
Ex:
for x <- data.range(1,1000000) , y <- data.range(1,1000000) , x+y
To prevent similar cases tweakflow interpreter must check for time the script being executing and call a host application callback or raise an exception if timelimit passed.
Yes, running untrusted code is an interesting topic.
You can trigger a DoS in straightforward ways by exhausting time or memory. Using threads, the host application can guard against user code hogging CPU time, as you suggest, but not against excessive memory consumption.
If you find yourself in a situation where you want to run untrusted code, in the sense that a DoS would affect more people than just the attackers themselves, all I can recommend is that you run user code in a separate JVM process. Give that process as much memory as reasonable using JVM command line switches, and communicate with it using sockets, pipes or simple stdio.
Having said that, I'm going to include an example of how to monitor script execution time by running the interpreter in another thread. The interpreter will check if its thread is interrupted, and throw. In case the interrupt does not work because the script hangs in a non-interruptible function, the example is going to kill the thread eventually.
Yes, you are right in that, that only separate jvm process allows fine-grained level of control. On some project in the past I had implemented executing third-party code as processes. It solved problems with memory consumption, infinite loops and unsafe access to files and networks. But that implementation was heavy (for example, included pool of process to serve calls fast and concurrently).
Tweakflow is unique in that that it is safe enough to allow user scripts without bothering myself with issues related to inter-process communication and management. Right now I see only 2 risky areas - memory and cpu (as You absolutely correctly pointed).
I think that time limit, if set small enough, will cover memory area also. Because, a script cannot do allocations fast enough to get around time limit. Does it make sence?
Yes, it makes sense. Pushed 479be1d. Interpreter checks for interrupted status of current thread. Small example on how to effectively limit execution time when evaluating user scripts is included.
Cool. Thank you. We are going to try it!