"shell" script execution

[avelino]

Today we do not grant access to the file system for executing binaries or scripts, would this be an interesting feature for the open source version of moclojer?

Reference https://github.com/adnanh/webhook

- endpoint:
    method: POST
    path: /with-webhook-exec
    response:
      status: 200
      headers:
        Content-Type: application/json
      body: >
        {"id": 123}
    script:
      sleep-time: 60
      if: 1 = 1
      exec: /bin/bash
      path: /home/moclojer/scripts/check-memory.sh

there may be a security risk; if implementation makes sense, we need to discuss it thoroughly before proceeding

[matheusfrancisco]

why do you think instead of starting with shell/bash we could use https://github.com/babashka/babashka?
but shell is also a valid script to execute.

[avelino]

I'm thinking about the scope of use
there are probably more people who know shell/bash than babashka, if the feature makes sense for the moclojer babashka can be part of the scripts to be executed, but starting with babashka I believe it is limiting the use

[J0sueTM]

@avelino are the commands to be executed static? i.e. are there ways for the webhook request to modify the script being run? for example as arguments.

[avelino]

I didn't think about it, but it would be cool, though risky - I assume that the 'risk' will be taken by the maintainer of the moclojer server (he's the one who wrote the yaml)

[J0sueTM]

Definity not a good idea for production, but probably a good one for local open source users, who are only doing local tests, with no dangerous side-effects.

In that case, I fail to see the possible usecase advantages to running shell scripts, instead of a dynamic clojure script in the response body, or as the webhook trigger.

Anyways, is there ways to prevent malicious execution? I know we can disable this feature on our production servers, but it won't stop other users from enabling it without understand the consequences. I'm thinking of something like a "child playground" shell.

Or maybe, letting the webhook run only files in the classpath, which were previously selected by the user.

[J0sueTM]

Yes, it does. Having the exec arg explicitly written down is enough.

[avelino]

sorry, it's not exec but the script node, I wrote it wrong!

[matheusfrancisco]

@J0sueTM your concern is about security?
In order to prevent security vulnerabilities in the cloud, you can place this script within a container. When the user calls this endpoint, it will run inside a Docker or sandbox environment in the cloud. This is just one of several options for cloud security.

[J0sueTM]

@matheusfrancisco That makes a lot of sense, even in our cloud product.

[matheusfrancisco]

to share, this is a POC I made with Clojure https://github.com/matheusfrancisco/docker-api-through-clojure-poc/blob/main/src/scratch.clj
it is a Clojure code that executes a docker container and runs a Clojure code inside the docker container, I zip the code and send to the docker and then exec. It could be a way to prevent security. (if I'm not wrong serverless do this but they use VM (virtual machine) and the virtual machine execute a container)