secure 1.1.0 → 1.1.1

Sign up to get free protection for your applications and to get access to all the features.
data/README.md CHANGED
@@ -39,6 +39,7 @@ Options:
39
39
  * :pipe_stdin, :pipe_stdout, :pipe_stderr => A File to pipe the stdin, out ond stderr to
40
40
  * :safe => An integer that represents the new safe mode (default 3)
41
41
  * :limit_files => Maximum file descriptor the block can open. If you want to say no files, set this to 0
42
+ * :limit_procs => Maximum number of processes that the user can create. Set this to 0 if you want to ensure no one forks
42
43
 
43
44
  Errors:
44
45
  =======
@@ -57,7 +58,7 @@ How Does it work:
57
58
 
58
59
  Known Issues:
59
60
  =============
60
- * :limit_memory does not work on OSX (at least whatever version I use), but it does work on linux
61
+ * :limit_memory and :limit_procs does not work on OSX (at least whatever version I use), but it does work on linux
61
62
  * :pipe_stdout is not tested because of some rspec weirdness
62
63
  * A block bound before $SAFE is set sees the old safe value. Refer to this for some clue about the reason why this happens: http://blog.sidu.in/2007/11/ruby-blocks-gotchas.html
63
64
  * Stdout cannot be piped to a StringIO. You need to open a unix PIPE. There are two reasons for this. The code runs in a child process, so you need to use and IPC mechanism, and a string IO is not recognized as a file at the C level
@@ -8,12 +8,13 @@ module Secure
8
8
  @timeout = opts[:timeout]
9
9
  @limit_memory = opts[:limit_memory]
10
10
  @limit_cpu = opts[:limit_cpu]
11
+ @limit_files = opts[:limit_files]
12
+ @limit_procs = opts[:limit_procs]
11
13
  @pipe_stdout = opts[:pipe_stdout]
12
14
  @pipe_stderr = opts[:pipe_stderr]
13
15
  @pipe_stdin = opts[:pipe_stdin]
14
16
  @run_before = opts[:run_before]
15
17
  @safe_value = opts[:safe] || 3
16
- @limit_files = opts[:limit_files]
17
18
  end
18
19
 
19
20
  def guard_threads
@@ -24,6 +25,7 @@ module Secure
24
25
  Process::setrlimit(Process::RLIMIT_AS, @limit_memory) if @limit_memory
25
26
  Process::setrlimit(Process::RLIMIT_CPU, @limit_cpu, 2 + @limit_cpu) if @limit_cpu
26
27
  Process::setrlimit(Process::RLIMIT_NOFILE, @limit_files, @limit_files) if @limit_files
28
+ Process::setrlimit(Process::RLIMIT_NPROC, @limit_procs, @limit_procs) if @limit_procs
27
29
  end
28
30
 
29
31
  def redirect_files
@@ -1,3 +1,3 @@
1
1
  module Secure
2
- VERSION = "1.1.0"
2
+ VERSION = "1.1.1"
3
3
  end
@@ -94,7 +94,9 @@ module Secure
94
94
 
95
95
  if RUBY_PLATFORM =~ /darwin/
96
96
  pending "should kill a process with too much memory (does not work on OSX)"
97
+ pending "kills a process trying to fork (does not work on OSX)"
97
98
  else
99
+
98
100
  it "should kill a process with too much memory on linux" do
99
101
  response = Runner.new(:limit_memory => 10 * 1024).run do
100
102
  'a' * 10 * 1024
@@ -102,6 +104,17 @@ module Secure
102
104
  response.should_not be_success
103
105
  response.error.should be_a(NoMemoryError)
104
106
  end
107
+
108
+ it "kills a process trying to fork" do
109
+ response = Runner.new(:safe => 0, :limit_procs => 0).run do
110
+ fork do
111
+ exit
112
+ end
113
+ 10
114
+ end
115
+ response.should_not be_success
116
+ response.error.should be_a(ThreadError)
117
+ end
105
118
  end
106
119
 
107
120
  it "kills a process using too much cpu" do
@@ -120,6 +133,7 @@ module Secure
120
133
  response.error.should be_a(Errno::EMFILE)
121
134
  end
122
135
 
136
+
123
137
  it "should not be able to open a file" do
124
138
  response = Runner.new.run do
125
139
  File.open("/etc/passwd")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0
4
+ version: 1.1.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -13,7 +13,7 @@ date: 2011-10-26 00:00:00.000000000Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rspec
16
- requirement: &70276562098440 !ruby/object:Gem::Requirement
16
+ requirement: &70151114884720 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ~>
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '2.6'
22
22
  type: :development
23
23
  prerelease: false
24
- version_requirements: *70276562098440
24
+ version_requirements: *70151114884720
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rake
27
- requirement: &70276562098020 !ruby/object:Gem::Requirement
27
+ requirement: &70151114884300 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ! '>='
@@ -32,7 +32,7 @@ dependencies:
32
32
  version: '0'
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *70276562098020
35
+ version_requirements: *70151114884300
36
36
  description: see summary
37
37
  email:
38
38
  - tejas@gja.in