aboutsummaryrefslogtreecommitdiffstats
path: root/tests (follow)
Commit message (Collapse)AuthorAgeLines
* Use more common binary for testing v1 cgroupsGravatar Mark2022-07-09-3/+3
|
* Test v1 cgroups are created as neededGravatar Mark2022-07-04-0/+68
|
* Use new NsJail instance for each test in NsJailArgsTestsGravatar Mark2022-06-07-12/+11
|
* Test NsJail args are set and used when passed to __init__Gravatar Mark2022-06-06-0/+37
|
* Fix NsJail patch for API testsGravatar Mark2022-06-06-1/+1
|
* Add config path & output size args to NsJail classGravatar Mark2022-06-04-3/+3
|
* Add black and isortGravatar MarkKoz2022-06-03-63/+65
|
* Import the WSGI app via the config during testsGravatar MarkKoz2022-06-01-9/+7
| | | | | Relying more on gunicorn and its config parsing will avoid discrepancies between the test and production environments.
* Remove redundant module for creating the WSGI appGravatar MarkKoz2022-05-30-2/+2
|
* Fix 415 error response titleGravatar MarkKoz2022-05-29-1/+1
| | | | The update to Falcon v3 changed its capitalisation.
* Change entrypoint tests to integration testsGravatar MarkKoz2021-12-27-35/+25
| | | | No more mocks!
* Add tests for main()Gravatar MarkKoz2021-12-26-0/+49
|
* Test argument parsing for entry pointGravatar MarkKoz2021-12-26-0/+51
|
* Add a test for #83Gravatar MarkKoz2021-12-21-0/+123
|
* Set NsJail log level to warning during API testsGravatar MarkKoz2021-12-21-0/+3
|
* Fix NsJail args testGravatar MarkKoz2021-12-21-1/+2
| | | | | Dynamically calculate the position of the arguments rather than hard-coding them.
* test: add test_multiprocess_resource_limits to test memory limit sharingGravatar Joe Banks2021-07-17-0/+28
| | | | This test ensures that spawned child processes inherit the same resource group as the parent by spawning 2 child processes which each allocate a 40MB object, it then verifies that one of the child processes was killed with SIGKILL for violating the resource quota.
* test: update pid limit tests to account for new increased limitGravatar Joe Banks2021-07-17-1/+10
|
* chore: Use TestCase.subTestGravatar ToxicKidz2021-05-19-12/+12
|
* chore: Add tests for py_args and ns_jail argsGravatar ToxicKidz2021-05-18-0/+31
|
* Match new unicode eval tests and output to the format and functions of othersGravatar Bast2021-04-08-12/+8
|
* Use PYTHONIOENCODING to enable utf-8 stdout for the nsjail pipe, and handle ↵Gravatar Bast2021-04-06-0/+21
| | | | | | | | | | the potential case where this is bypassable Since snekbox does not run with a tty, stdout is technically raw bytes, and thus incomplete surrogate pairs can be printed without the client application erroring, and instead fail within _consume_stdout when we attempt to decode it to a str. This commit sets the PYTHONIOENCODING environment variable to inform python to open the pipe in utf-8 mode. However, clever use of execl and os.unsetenv() can unset this environment variable, so we add a safety check to _consume_stdout to fail out of parsing output if it contains invalid unicode. This should only happen in deliberate cases, or significant bugs in python or a c library where output is printed to stdout ignoring the python stdout encoding.
* Update flooding test to expect code 143Gravatar Joe Banks2021-03-16-1/+1
| | | | Test was relying on 137 which is SIGKILL, when instead it would receive 143, or SIGTERM.
* Fix patch for DEBUG value during testingGravatar MarkKoz2021-02-04-1/+1
|
* Fix the memory limit test and the import errorGravatar MarkKoz2021-02-04-2/+2
|
* Close file descriptors when subprocess endsGravatar MarkKoz2021-02-04-1/+1
|
* Suppress NsJail info logs during testsGravatar MarkKoz2021-02-04-0/+1
| | | | The logs clutter up the test output way too much.
* Move exit code conversion to main functionGravatar Sebastiaan Zeeff2020-11-21-4/+2
|
* Add test for stdout output truncationGravatar Sebastiaan Zeeff2020-11-21-1/+19
| | | | | | I've added a test that checks if output exceeding the limit is correctly truncated. To make the test more robust, I've defined a constant for the read chunk size.
* Convert negative exit codes into standard formGravatar Sebastiaan Zeeff2020-11-20-1/+1
| | | | | | | When you send a signal `N` to a subprocess using Popen, it will return `-N` as its exit code. As the rest of the code returns signal exit codes as `128 + N`, we convert those negative exit codes into the standard form used by the rest of the code.
* Use SIGKILL instead of SIGTERM to terminate NsJailGravatar Sebastiaan Zeeff2020-11-20-1/+1
| | | | | | This new behavior matches how other limiters terminate the subprocess, resulting in a more consistency in the front-end for the end users as well.
* Limit STDOUT to prevent OOM events in containerGravatar Sebastiaan Zeeff2020-11-20-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Recently, we discovered that for some code inputs, snekbox would get into an OOM event on the container level, seemingly bypassing the memory restrictions laid on code execution by NSJail. After investigating the issue, we identified the culprit to be the STDOUT pipe we use to get output back from NSJail: As output is piped out of the jailed process, it will be gathered outside of the NSJail in the main container process instead. This meant that our initial attempts of limiting the allowed filesize within the NSJail failed, as the OOM happened outside of the jailed environment. To mitigate the issue, I've written a loop that consumes the STDOUT pipe in chunks of 100 characters. Once the size of the accrued output reaches a certain limit (currently set to 1 MB), we send a SIGTERM signal to NSJail to terminate itself. The output up to that point will be relayed back to the caller. A minimal code snippet to trigger the event and the mitigation: ```py while True: print(" ") ``` I've included a test for this vulnerability in `tests/test_nsjail.py`.
* Fix #56: stdout and stderr outputs in wrong orderGravatar MarkKoz2020-01-11-0/+16
|
* Add test for importing numpyGravatar MarkKoz2019-12-28-0/+6
| | | | | This is a test for #53, which fixed numpy failing to import due to using multiple threads by default.
* Test root and direct children are read-onlyGravatar MarkKoz2019-12-28-7/+10
|
* Test shared memory is disabledGravatar MarkKoz2019-12-28-0/+27
| | | | Co-authored-by: 0xf0f <[email protected]>
* Test that the file system is mounted as read onlyGravatar MarkKoz2019-06-27-0/+10
|
* Disable memory swapping and add a memory limit testGravatar MarkKoz2019-06-26-6/+13
| | | | | | | | | If memory swapping was enabled locally, the memory test would fail. Explicitly disabling swapping also removes reliance on the assumption that it'll be disabled in production. * Add a constant for the maximum memory * Simplify the timeout test; it'd otherwise first run out of memory now
* Add a NsJail log parser testGravatar MarkKoz2019-06-22-0/+30
| | | | | * Add support for debug level to log regex * Change type annotation of log_parse to Iterable
* Rewrite NsJail testsGravatar MarkKoz2019-06-22-56/+77
| | | | | | * Fix SIGSEGV test * Add embedded null byte test * Return None for stderr when there's a ValueError
* Merge stdout and stderrGravatar MarkKoz2019-06-15-1/+0
| | | | | | Removes the need for redirecting stderr using contextlib in the input. Furthermore, it captures errors which don't directly come from the input, such as SyntaxErrors.
* Respond to eval with stdout, stderr, and the return codeGravatar MarkKoz2019-06-05-3/+10
| | | | | | | | | The previous implementation limited the client's flexibility in presenting the results of the process. A process can write to both stdout and stderr and do so even when the return code is not 0 or 1. * Return a CompletedProcess from NsJail * Don't check the return code; this should be done client-side now
* Add logging for NsJailGravatar MarkKoz2019-06-05-1/+1
| | | | | | | | | | | NsJail's is configured to log to a temporary file rather than stderr. The contents of the file are parsed using regex after the process exits. When not debugging, some blacklisted messages and most info-level messages are skipped. * Add a snekbox logger * Log the Python code being executed if debugging * Use nested single quotes in a test to fix a linter error
* Merge remote-tracking branch 'origin/revitalisation' into refactor/nsjailGravatar MarkKoz2019-06-05-1/+66
|\
| * Move SnekAPI import back to top of moduleGravatar MarkKoz2019-05-29-1/+2
| |
| * Add API tests for eval resourceGravatar MarkKoz2019-05-29-1/+65
| |
* | Revert "Lint tests"Gravatar MarkKoz2019-05-30-15/+0
| | | | | | | | This reverts commit e75c764f693c3688a59af0d679e0d3e94f003503.
* | Lint testsGravatar MarkKoz2019-05-30-0/+15
| | | | | | | | | | Tests ignore all D1xx warnings because tests shouldn't require docstrings.
* | Add flake8 plugin to only allow double quotesGravatar MarkKoz2019-05-29-23/+23
|/
* Restructure project layoutGravatar MarkKoz2019-03-28-8/+8
| | | | | | | | | * Move all code into a "snekbox" package * Use logging code as __init__.py * Rename Snekbox class to NsJail * Create "site" sub-package * Move templates into this sub-package * Move Flask code into a new snekapp module
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-19 23:49:06 +0000