aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_nsjail.py (follow)
Commit message (Collapse)AuthorAgeLines
* Move exit code conversion to main functionGravatar Sebastiaan Zeeff2020-11-21-4/+2
|
* Add test for stdout output truncationGravatar Sebastiaan Zeeff2020-11-21-1/+19
| | | | | | I've added a test that checks if output exceeding the limit is correctly truncated. To make the test more robust, I've defined a constant for the read chunk size.
* Convert negative exit codes into standard formGravatar Sebastiaan Zeeff2020-11-20-1/+1
| | | | | | | When you send a signal `N` to a subprocess using Popen, it will return `-N` as its exit code. As the rest of the code returns signal exit codes as `128 + N`, we convert those negative exit codes into the standard form used by the rest of the code.
* Use SIGKILL instead of SIGTERM to terminate NsJailGravatar Sebastiaan Zeeff2020-11-20-1/+1
| | | | | | This new behavior matches how other limiters terminate the subprocess, resulting in a more consistency in the front-end for the end users as well.
* Limit STDOUT to prevent OOM events in containerGravatar Sebastiaan Zeeff2020-11-20-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Recently, we discovered that for some code inputs, snekbox would get into an OOM event on the container level, seemingly bypassing the memory restrictions laid on code execution by NSJail. After investigating the issue, we identified the culprit to be the STDOUT pipe we use to get output back from NSJail: As output is piped out of the jailed process, it will be gathered outside of the NSJail in the main container process instead. This meant that our initial attempts of limiting the allowed filesize within the NSJail failed, as the OOM happened outside of the jailed environment. To mitigate the issue, I've written a loop that consumes the STDOUT pipe in chunks of 100 characters. Once the size of the accrued output reaches a certain limit (currently set to 1 MB), we send a SIGTERM signal to NSJail to terminate itself. The output up to that point will be relayed back to the caller. A minimal code snippet to trigger the event and the mitigation: ```py while True: print(" ") ``` I've included a test for this vulnerability in `tests/test_nsjail.py`.
* Fix #56: stdout and stderr outputs in wrong orderGravatar MarkKoz2020-01-11-0/+16
|
* Add test for importing numpyGravatar MarkKoz2019-12-28-0/+6
| | | | | This is a test for #53, which fixed numpy failing to import due to using multiple threads by default.
* Test root and direct children are read-onlyGravatar MarkKoz2019-12-28-7/+10
|
* Test shared memory is disabledGravatar MarkKoz2019-12-28-0/+27
| | | | Co-authored-by: 0xf0f <[email protected]>
* Test that the file system is mounted as read onlyGravatar MarkKoz2019-06-27-0/+10
|
* Disable memory swapping and add a memory limit testGravatar MarkKoz2019-06-26-6/+13
| | | | | | | | | If memory swapping was enabled locally, the memory test would fail. Explicitly disabling swapping also removes reliance on the assumption that it'll be disabled in production. * Add a constant for the maximum memory * Simplify the timeout test; it'd otherwise first run out of memory now
* Add a NsJail log parser testGravatar MarkKoz2019-06-22-0/+30
| | | | | * Add support for debug level to log regex * Change type annotation of log_parse to Iterable
* Rewrite NsJail testsGravatar MarkKoz2019-06-22-0/+77
* Fix SIGSEGV test * Add embedded null byte test * Return None for stderr when there's a ValueError
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-03 08:43:13 +0000