Skip to content

Commit

Permalink
Add disableInlineExecution (#4312)
Browse files Browse the repository at this point in the history
  • Loading branch information
@KonstantinTyukalov
KonstantinTyukalov authored Jun 5, 2023
1 parent 75aa464 commit 5faff7c
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 19 deletions.
7 changes: 0 additions & 7 deletions src/Agent.Sdk/Knob/AgentKnobs.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,13 +439,6 @@ public class AgentKnobs
new EnvironmentKnobSource("AGENT_USE_NODE"),
new BuiltInDefaultKnobSource(string.Empty));

public static readonly Knob ProcessHandlerSecureArguments = new Knob(
nameof(ProcessHandlerSecureArguments),
"Enables passing arguments for process handler secure way",
new RuntimeKnobSource("AGENT_PH_ENABLE_SECURE_ARGUMENTS"),
new EnvironmentKnobSource("AGENT_PH_ENABLE_SECURE_ARGUMENTS"),
new BuiltInDefaultKnobSource("true"));

public static readonly Knob ProcessHandlerTelemetry = new Knob(
nameof(ProcessHandlerTelemetry),
"Enables publishing telemetry about processing of arguments for Process Handler",
Expand Down
31 changes: 19 additions & 12 deletions src/Agent.Worker/Handlers/ProcessHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@ public async Task RunAsync()

Trace.Info($"Command is rooted: {isCommandRooted}");

var disableInlineExecution = StringUtil.ConvertToBoolean(Data.DisableInlineExecution);
ExecutionContext.Debug($"Disable inline execution: '{disableInlineExecution}'");

if (disableInlineExecution && !File.Exists(command))
{
throw new Exception(StringUtil.Loc("FileNotFound", command));
}

// Determine the working directory.
string workingDirectory;
if (!string.IsNullOrEmpty(Data.WorkingDirectory))
Expand Down Expand Up @@ -117,33 +125,32 @@ public async Task RunAsync()
_modifyEnvironment = StringUtil.ConvertToBoolean(Data.ModifyEnvironment);
ExecutionContext.Debug($"Modify environment: '{_modifyEnvironment}'");

var enableSecureArguments = AgentKnobs.ProcessHandlerSecureArguments.GetValue(ExecutionContext).AsBoolean();
ExecutionContext.Debug($"Enable secure arguments: '{enableSecureArguments}'");

// Resolve cmd.exe.
string cmdExe = System.Environment.GetEnvironmentVariable("ComSpec");
if (string.IsNullOrEmpty(cmdExe))
{
cmdExe = "cmd.exe";
}

if (enableSecureArguments)
string cmdExeArgs;
// In this case we don't allow execution of built-in commands.
if (disableInlineExecution)
{
GenerateScriptFile(cmdExe, command, arguments);
cmdExeArgs = $"/c \"{_generatedScriptPath}\"";
}

// Format the input to be invoked from cmd.exe to enable built-in shell commands. For example, RMDIR.
var cmdExeArgs = enableSecureArguments
? $"/c \"{_generatedScriptPath}"
: $"/c \"{command} {arguments}";

cmdExeArgs += _modifyEnvironment && !enableSecureArguments
else
{
// Format the input to be invoked from cmd.exe to enable built-in shell commands. For example, RMDIR.
cmdExeArgs = $"/c \"{command} {arguments}";
cmdExeArgs += _modifyEnvironment
? $" && echo {OutputDelimiter} && set \""
: "\"";
}

// Invoke the process.
ExecutionContext.Debug($"{cmdExe} {cmdExeArgs}");
ExecutionContext.Command($"{command} {arguments}");
ExecutionContext.Command($"{cmdExeArgs}");
using (var processInvoker = HostContext.CreateService<IProcessInvoker>())
{
processInvoker.OutputDataReceived += OnOutputDataReceived;
Expand Down
12 changes: 12 additions & 0 deletions src/Agent.Worker/TaskManager.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -815,6 +815,18 @@ public string WorkingDirectory
SetInput(nameof(WorkingDirectory), value);
}
}

public string DisableInlineExecution
{
get
{
return GetInput(nameof(DisableInlineExecution));
}
set
{
SetInput(nameof(DisableInlineExecution), value);
}
}
}

public sealed class AgentPluginHandlerData : HandlerData
Expand Down

0 comments on commit 5faff7c

Please sign in to comment.