mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
[misc] apply review feedback
- move setting into clsi.docker namespace - rename the variable for images to allowedImages / ALLOWED_IMAGES - add an additional check for the image name into the DockerRunner Co-Authored-By: Brian Gough <brian.gough@overleaf.com>
This commit is contained in:
parent
c857371fed
commit
aa02df7b81
8 changed files with 96 additions and 19 deletions
|
@ -220,8 +220,10 @@ module.exports = CompileController = {
|
||||||
const { image } = req.query
|
const { image } = req.query
|
||||||
if (
|
if (
|
||||||
image &&
|
image &&
|
||||||
Settings.allowedImageNamesFlat &&
|
Settings.clsi &&
|
||||||
Settings.allowedImageNamesFlat.indexOf(image) === -1
|
Settings.clsi.docker &&
|
||||||
|
Settings.clsi.docker.allowedImages &&
|
||||||
|
!Settings.clsi.docker.allowedImages.includes(image)
|
||||||
) {
|
) {
|
||||||
return res.status(400).send('invalid image')
|
return res.status(400).send('invalid image')
|
||||||
}
|
}
|
||||||
|
|
|
@ -91,6 +91,13 @@ module.exports = DockerRunner = {
|
||||||
image = `${Settings.texliveImageNameOveride}/${img[2]}`
|
image = `${Settings.texliveImageNameOveride}/${img[2]}`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (
|
||||||
|
Settings.clsi.docker.allowedImages &&
|
||||||
|
!Settings.clsi.docker.allowedImages.includes(image)
|
||||||
|
) {
|
||||||
|
return callback(new Error('image not allowed'))
|
||||||
|
}
|
||||||
|
|
||||||
const options = DockerRunner._getContainerOptions(
|
const options = DockerRunner._getContainerOptions(
|
||||||
command,
|
command,
|
||||||
image,
|
image,
|
||||||
|
|
|
@ -61,7 +61,13 @@ module.exports = RequestParser = {
|
||||||
response.imageName = this._parseAttribute(
|
response.imageName = this._parseAttribute(
|
||||||
'imageName',
|
'imageName',
|
||||||
compile.options.imageName,
|
compile.options.imageName,
|
||||||
{ type: 'string', validValues: settings.allowedImageNamesFlat }
|
{
|
||||||
|
type: 'string',
|
||||||
|
validValues:
|
||||||
|
settings.clsi &&
|
||||||
|
settings.clsi.docker &&
|
||||||
|
settings.clsi.docker.allowedImages
|
||||||
|
}
|
||||||
)
|
)
|
||||||
response.draft = this._parseAttribute('draft', compile.options.draft, {
|
response.draft = this._parseAttribute('draft', compile.options.draft, {
|
||||||
default: false,
|
default: false,
|
||||||
|
|
|
@ -73,16 +73,6 @@ if (process.env.ALLOWED_COMPILE_GROUPS) {
|
||||||
process.exit(1)
|
process.exit(1)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (process.env.ALLOWED_IMAGE_NAMES_FLAT) {
|
|
||||||
try {
|
|
||||||
module.exports.allowedImageNamesFlat = process.env.ALLOWED_IMAGE_NAMES_FLAT.split(
|
|
||||||
' '
|
|
||||||
)
|
|
||||||
} catch (error) {
|
|
||||||
console.error(error, 'could not apply allowed image names setting')
|
|
||||||
process.exit(1)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (process.env.DOCKER_RUNNER) {
|
if (process.env.DOCKER_RUNNER) {
|
||||||
let seccompProfilePath
|
let seccompProfilePath
|
||||||
|
@ -139,6 +129,17 @@ if (process.env.DOCKER_RUNNER) {
|
||||||
process.exit(1)
|
process.exit(1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (process.env.ALLOWED_IMAGES) {
|
||||||
|
try {
|
||||||
|
module.exports.clsi.docker.allowedImages = process.env.ALLOWED_IMAGES.split(
|
||||||
|
' '
|
||||||
|
)
|
||||||
|
} catch (error) {
|
||||||
|
console.error(error, 'could not apply allowed images setting')
|
||||||
|
process.exit(1)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
module.exports.path.synctexBaseDir = () => '/compile'
|
module.exports.path.synctexBaseDir = () => '/compile'
|
||||||
|
|
||||||
module.exports.path.sandboxedCompilesHostDir = process.env.COMPILES_HOST_DIR
|
module.exports.path.sandboxedCompilesHostDir = process.env.COMPILES_HOST_DIR
|
||||||
|
|
|
@ -3,7 +3,7 @@ version: "2.3"
|
||||||
services:
|
services:
|
||||||
dev:
|
dev:
|
||||||
environment:
|
environment:
|
||||||
ALLOWED_IMAGE_NAMES_FLAT: "quay.io/sharelatex/texlive-full:2017.1"
|
ALLOWED_IMAGES: "quay.io/sharelatex/texlive-full:2017.1"
|
||||||
TEXLIVE_IMAGE: quay.io/sharelatex/texlive-full:2017.1
|
TEXLIVE_IMAGE: quay.io/sharelatex/texlive-full:2017.1
|
||||||
TEXLIVE_IMAGE_USER: "tex"
|
TEXLIVE_IMAGE_USER: "tex"
|
||||||
SHARELATEX_CONFIG: /app/config/settings.defaults.coffee
|
SHARELATEX_CONFIG: /app/config/settings.defaults.coffee
|
||||||
|
@ -19,7 +19,7 @@ services:
|
||||||
|
|
||||||
ci:
|
ci:
|
||||||
environment:
|
environment:
|
||||||
ALLOWED_IMAGE_NAMES_FLAT: ${TEXLIVE_IMAGE}
|
ALLOWED_IMAGES: ${TEXLIVE_IMAGE}
|
||||||
TEXLIVE_IMAGE: quay.io/sharelatex/texlive-full:2017.1
|
TEXLIVE_IMAGE: quay.io/sharelatex/texlive-full:2017.1
|
||||||
TEXLIVE_IMAGE_USER: "tex"
|
TEXLIVE_IMAGE_USER: "tex"
|
||||||
SHARELATEX_CONFIG: /app/config/settings.defaults.coffee
|
SHARELATEX_CONFIG: /app/config/settings.defaults.coffee
|
||||||
|
|
|
@ -306,9 +306,10 @@ describe('CompileController', function() {
|
||||||
.should.equal(true)
|
.should.equal(true)
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('when allowedImageNamesFlat is set', function() {
|
describe('when allowedImages is set', function() {
|
||||||
beforeEach(function() {
|
beforeEach(function() {
|
||||||
this.Settings.allowedImageNamesFlat = [
|
this.Settings.clsi = { docker: {} }
|
||||||
|
this.Settings.clsi.docker.allowedImages = [
|
||||||
'repo/image:tag1',
|
'repo/image:tag1',
|
||||||
'repo/image:tag2'
|
'repo/image:tag2'
|
||||||
]
|
]
|
||||||
|
|
|
@ -273,7 +273,7 @@ describe('DockerRunner', function() {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
return describe('with image override', function() {
|
describe('with image override', function() {
|
||||||
beforeEach(function() {
|
beforeEach(function() {
|
||||||
this.Settings.texliveImageNameOveride = 'overrideimage.com/something'
|
this.Settings.texliveImageNameOveride = 'overrideimage.com/something'
|
||||||
this.DockerRunner._runAndWaitForContainer = sinon
|
this.DockerRunner._runAndWaitForContainer = sinon
|
||||||
|
@ -296,6 +296,62 @@ describe('DockerRunner', function() {
|
||||||
return image.should.equal('overrideimage.com/something/image:2016.2')
|
return image.should.equal('overrideimage.com/something/image:2016.2')
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe('with image restriction', function() {
|
||||||
|
beforeEach(function() {
|
||||||
|
this.Settings.clsi.docker.allowedImages = [
|
||||||
|
'repo/image:tag1',
|
||||||
|
'repo/image:tag2'
|
||||||
|
]
|
||||||
|
this.DockerRunner._runAndWaitForContainer = sinon
|
||||||
|
.stub()
|
||||||
|
.callsArgWith(3, null, (this.output = 'mock-output'))
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('with a valid image', function() {
|
||||||
|
beforeEach(function() {
|
||||||
|
this.DockerRunner.run(
|
||||||
|
this.project_id,
|
||||||
|
this.command,
|
||||||
|
this.directory,
|
||||||
|
'repo/image:tag1',
|
||||||
|
this.timeout,
|
||||||
|
this.env,
|
||||||
|
this.compileGroup,
|
||||||
|
this.callback
|
||||||
|
)
|
||||||
|
})
|
||||||
|
|
||||||
|
it('should setup the container', function() {
|
||||||
|
this.DockerRunner._getContainerOptions.called.should.equal(true)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('with a invalid image', function() {
|
||||||
|
beforeEach(function() {
|
||||||
|
this.DockerRunner.run(
|
||||||
|
this.project_id,
|
||||||
|
this.command,
|
||||||
|
this.directory,
|
||||||
|
'something/different:evil',
|
||||||
|
this.timeout,
|
||||||
|
this.env,
|
||||||
|
this.compileGroup,
|
||||||
|
this.callback
|
||||||
|
)
|
||||||
|
})
|
||||||
|
|
||||||
|
it('should call the callback with an error', function() {
|
||||||
|
const err = new Error('image not allowed')
|
||||||
|
this.callback.called.should.equal(true)
|
||||||
|
this.callback.args[0][0].message.should.equal(err.message)
|
||||||
|
})
|
||||||
|
|
||||||
|
it('should not setup the container', function() {
|
||||||
|
this.DockerRunner._getContainerOptions.called.should.equal(false)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('run with _getOptions', function() {
|
describe('run with _getOptions', function() {
|
||||||
|
|
|
@ -116,7 +116,11 @@ describe('RequestParser', function() {
|
||||||
|
|
||||||
describe('when image restrictions are present', function() {
|
describe('when image restrictions are present', function() {
|
||||||
beforeEach(function() {
|
beforeEach(function() {
|
||||||
this.settings.allowedImageNamesFlat = ['repo/name:tag1', 'repo/name:tag2']
|
this.settings.clsi = { docker: {} }
|
||||||
|
this.settings.clsi.docker.allowedImages = [
|
||||||
|
'repo/name:tag1',
|
||||||
|
'repo/name:tag2'
|
||||||
|
]
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('with imageName set to something invalid', function() {
|
describe('with imageName set to something invalid', function() {
|
||||||
|
|
Loading…
Reference in a new issue