Skip to content

Commit

Permalink
refactor(sandbox): improve sandbox (#10900)
Browse files Browse the repository at this point in the history
Signed-off-by: Aapo Talvensaari <[email protected]>
  • Loading branch information
bungle committed Dec 16, 2024
1 parent 358fff3 commit 2af3a76
Show file tree
Hide file tree
Showing 28 changed files with 1,071 additions and 450 deletions.
2 changes: 1 addition & 1 deletion .luacheckrc
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ exclude_files = {
"bazel-kong",
}

files["kong/tools/kong-lua-sandbox.lua"] = {
files["kong/tools/sandbox/kong.lua"] = {
read_globals = {
"_ENV",
"table.pack",
Expand Down
12 changes: 11 additions & 1 deletion kong-3.10.0-0.rockspec
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,6 @@ build = {
["kong.tools.stream_api"] = "kong/tools/stream_api.lua",
["kong.tools.queue"] = "kong/tools/queue.lua",
["kong.tools.queue_schema"] = "kong/tools/queue_schema.lua",
["kong.tools.sandbox"] = "kong/tools/sandbox.lua",
["kong.tools.uri"] = "kong/tools/uri.lua",
["kong.tools.kong-lua-sandbox"] = "kong/tools/kong-lua-sandbox.lua",
["kong.tools.protobuf"] = "kong/tools/protobuf.lua",
Expand All @@ -217,6 +216,17 @@ build = {
["kong.tools.redis.schema"] = "kong/tools/redis/schema.lua",
["kong.tools.aws_stream"] = "kong/tools/aws_stream.lua",

["kong.tools.sandbox"] = "kong/tools/sandbox/init.lua",
["kong.tools.sandbox.kong"] = "kong/tools/sandbox/kong.lua",
["kong.tools.sandbox.environment"] = "kong/tools/sandbox/environment/init.lua",
["kong.tools.sandbox.environment.handler"] = "kong/tools/sandbox/environment/handler.lua",
["kong.tools.sandbox.environment.lua"] = "kong/tools/sandbox/environment/lua.lua",
["kong.tools.sandbox.environment.schema"] = "kong/tools/sandbox/environment/schema.lua",
["kong.tools.sandbox.require"] = "kong/tools/sandbox/require/init.lua",
["kong.tools.sandbox.require.handler"] = "kong/tools/sandbox/require/handler.lua",
["kong.tools.sandbox.require.lua"] = "kong/tools/sandbox/require/lua.lua",
["kong.tools.sandbox.require.schema"] = "kong/tools/sandbox/require/schema.lua",

["kong.runloop.handler"] = "kong/runloop/handler.lua",
["kong.runloop.events"] = "kong/runloop/events.lua",
["kong.runloop.log_level"] = "kong/runloop/log_level.lua",
Expand Down
10 changes: 4 additions & 6 deletions kong.conf.default
Original file line number Diff line number Diff line change
Expand Up @@ -1894,9 +1894,10 @@
# them. The sandboxed function has
# restricted access to the global
# environment and only has access
# to standard Lua functions that
# will generally not cause harm to
# the Kong Gateway node.
# to Kong PDK, OpenResty, and
# standard Lua functions that will
# generally not cause harm to the
# Kong Gateway node.
#
# * `on`: Functions have unrestricted
# access to the global environment and
Expand All @@ -1920,9 +1921,6 @@
# functions are not allowed, like:
# `os.execute('rm -rf /*')`.
#
# For a full allowed/disallowed list, see:
# https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua
#
# To customize the sandbox environment, use
# the `untrusted_lua_sandbox_requires` and
# `untrusted_lua_sandbox_environment`
Expand Down
5 changes: 2 additions & 3 deletions kong/db/init.lua
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ function DB.new(kong_config, strategy)
strategy = strategy,
errors = errors,
infos = connector:infos(),
kong_config = kong_config,
loaded_plugins = kong_config.loaded_plugins, -- left for MigrationsState.load
}

do
Expand Down Expand Up @@ -444,8 +444,7 @@ do
return nil, prefix_err(self, err)
end

local ok, err = self.connector:schema_bootstrap(self.kong_config,
DEFAULT_LOCKS_TTL)
local ok, err = self.connector:schema_bootstrap(DEFAULT_LOCKS_TTL)

self.connector:close()

Expand Down
2 changes: 1 addition & 1 deletion kong/db/migrations/state.lua
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ function State.load(db)

log.debug("loading subsystems migrations...")

local subsystems, err = load_subsystems(db, db.kong_config.loaded_plugins)
local subsystems, err = load_subsystems(db, db.loaded_plugins)
if not subsystems then
return nil, prefix_err(db, err)
end
Expand Down
2 changes: 1 addition & 1 deletion kong/db/strategies/postgres/connector.lua
Original file line number Diff line number Diff line change
Expand Up @@ -775,7 +775,7 @@ function _mt:schema_migrations()
end


function _mt:schema_bootstrap(kong_config, default_locks_ttl)
function _mt:schema_bootstrap(default_locks_ttl)
local conn = self:get_stored_connection()
if not conn then
error("no connection")
Expand Down
5 changes: 1 addition & 4 deletions kong/plugins/file-log/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,6 @@ local oflags = bit.bor(O_WRONLY, O_CREAT, O_APPEND)
local mode = ffi.new("int", bit.bor(S_IRUSR, S_IWUSR, S_IRGRP, S_IROTH))


local sandbox_opts = { env = { kong = kong, ngx = ngx } }


local C = ffi.C


Expand Down Expand Up @@ -73,7 +70,7 @@ function FileLogHandler:log(conf)
if conf.custom_fields_by_lua then
local set_serialize_value = kong.log.set_serialize_value
for key, expression in pairs(conf.custom_fields_by_lua) do
set_serialize_value(key, sandbox(expression, sandbox_opts)())
set_serialize_value(key, sandbox(expression)())
end
end

Expand Down
4 changes: 1 addition & 3 deletions kong/plugins/http-log/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ local pairs = pairs
local max = math.max


local sandbox_opts = { env = { kong = kong, ngx = ngx } }

-- Create a function that concatenates multiple JSON objects into a JSON array.
-- This saves us from rendering all entries into one large JSON string.
-- Each invocation of the function returns the next bit of JSON, i.e. the opening
Expand Down Expand Up @@ -183,7 +181,7 @@ function HttpLogHandler:log(conf)
if conf.custom_fields_by_lua then
local set_serialize_value = kong.log.set_serialize_value
for key, expression in pairs(conf.custom_fields_by_lua) do
set_serialize_value(key, sandbox(expression, sandbox_opts)())
set_serialize_value(key, sandbox(expression)())
end
end

Expand Down
5 changes: 1 addition & 4 deletions kong/plugins/loggly/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,6 @@ local concat = table.concat
local insert = table.insert


local sandbox_opts = { env = { kong = kong, ngx = ngx } }


local HOSTNAME = get_host_name()
local SENDER_NAME = "kong"
local LOG_LEVELS = {
Expand Down Expand Up @@ -127,7 +124,7 @@ function LogglyLogHandler:log(conf)
if conf.custom_fields_by_lua then
local set_serialize_value = kong.log.set_serialize_value
for key, expression in pairs(conf.custom_fields_by_lua) do
set_serialize_value(key, sandbox(expression, sandbox_opts)())
set_serialize_value(key, sandbox(expression)())
end
end

Expand Down
19 changes: 2 additions & 17 deletions kong/plugins/pre-function/_handler.lua
Original file line number Diff line number Diff line change
@@ -1,24 +1,13 @@
local resty_mlcache = require "kong.resty.mlcache"
local sandbox = require "kong.tools.sandbox"
local kong_meta = require "kong.meta"


-- handler file for both the pre-function and post-function plugin


local config_cache do

local no_op = function() end

local shm_name = "kong_db_cache"
local cache_name = "serverless_" .. shm_name
local cache = resty_mlcache.new(cache_name, shm_name, { lru_size = 1e4 })
local sandbox_kong = setmetatable({
cache = cache,
configuration = kong.configuration.remove_sensitive()
}, { __index = kong })

local sandbox_opts = { env = { kong = sandbox_kong, ngx = ngx } }

-- compiles the array for a phase into a single function
local function compile_phase_array(phase_funcs)
if not phase_funcs or #phase_funcs == 0 then
Expand All @@ -28,7 +17,7 @@ local config_cache do
-- compile the functions we got
local compiled = {}
for i, func_string in ipairs(phase_funcs) do
local func = assert(sandbox.sandbox(func_string, sandbox_opts))
local func = assert(sandbox.sandbox(func_string))

local first_run_complete = false
compiled[i] = function()
Expand Down Expand Up @@ -73,11 +62,9 @@ local config_cache do
end
end


local phases = { "certificate", "rewrite", "access",
"header_filter", "body_filter", "log" }


config_cache = setmetatable({}, {
__mode = "k",
__index = function(self, config)
Expand All @@ -96,9 +83,7 @@ local config_cache do
end



return function(priority)

local ServerlessFunction = {
PRIORITY = priority,
VERSION = kong_meta.version,
Expand Down
5 changes: 1 addition & 4 deletions kong/plugins/syslog/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,6 @@ local FACILITIES = {
local7 = lsyslog.FACILITY_LOCAL7
}

local sandbox_opts = { env = { kong = kong, ngx = ngx } }


local function send_to_syslog(log_level, severity, message, facility)
if LOG_PRIORITIES[severity] <= LOG_PRIORITIES[log_level] then
lsyslog.open(SENDER_NAME, FACILITIES[facility])
Expand Down Expand Up @@ -94,7 +91,7 @@ function SysLogHandler:log(conf)
if conf.custom_fields_by_lua then
local set_serialize_value = kong.log.set_serialize_value
for key, expression in pairs(conf.custom_fields_by_lua) do
set_serialize_value(key, sandbox(expression, sandbox_opts)())
set_serialize_value(key, sandbox(expression)())
end
end

Expand Down
5 changes: 1 addition & 4 deletions kong/plugins/tcp-log/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@ local ngx = ngx
local timer_at = ngx.timer.at


local sandbox_opts = { env = { kong = kong, ngx = ngx } }


local function log(premature, conf, message)
if premature then
return
Expand Down Expand Up @@ -71,7 +68,7 @@ function TcpLogHandler:log(conf)
if conf.custom_fields_by_lua then
local set_serialize_value = kong.log.set_serialize_value
for key, expression in pairs(conf.custom_fields_by_lua) do
set_serialize_value(key, sandbox(expression, sandbox_opts)())
set_serialize_value(key, sandbox(expression)())
end
end

Expand Down
5 changes: 1 addition & 4 deletions kong/plugins/udp-log/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@ local timer_at = ngx.timer.at
local udp = ngx.socket.udp


local sandbox_opts = { env = { kong = kong, ngx = ngx } }


local function log(premature, conf, str)
if premature then
return
Expand Down Expand Up @@ -52,7 +49,7 @@ function UdpLogHandler:log(conf)
if conf.custom_fields_by_lua then
local set_serialize_value = kong.log.set_serialize_value
for key, expression in pairs(conf.custom_fields_by_lua) do
set_serialize_value(key, sandbox(expression, sandbox_opts)())
set_serialize_value(key, sandbox(expression)())
end
end

Expand Down
Loading

1 comment on commit 2af3a76

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bazel Build

Docker image available kong/kong:2af3a76bb161fa640ae33d5d909b692c423b8612
Artifacts available https://github.com/Kong/kong/actions/runs/12354904482

Please sign in to comment.