-
Notifications
You must be signed in to change notification settings - Fork 861
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Timecap on execution of PAC script #8036
base: master
Are you sure you want to change the base?
Timecap on execution of PAC script #8036
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general looks sane to me, but I left two inline comments. Please squash the commits into a single one.
private static class RPSingleton { private static final RequestProcessor instance = new RequestProcessor(NbPacScriptEvaluator.class.getName(), Runtime.getRuntime().availableProcessors(), true, false); } | ||
private static RequestProcessor getRequestProcessor() { return RPSingleton.instance; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this complex construct? Why not just
private static final RequestProcessor RP = new RequestProcessor(NbPacScriptEvaluator.class.getName(), Runtime.getRuntime().availableProcessors(), true, false);
This is done all over the code base. The proposed style looks overly complex without clear benefits.
Why the limit to number available processors? For a real PAC script I would expect it to be throttled by network IO (DNS look ups for example). If high CPU usage is the problem (and thus an attacker is expected), I would go with a throughput of 1.
@@ -213,7 +219,8 @@ public NbPacScriptEvaluator(String pacSourceCocde) throws PacParsingException { | |||
@Override | |||
public List<Proxy> findProxyForURL(URI uri) throws PacValidationException { | |||
|
|||
List<Proxy> jsResultAnalyzed; | |||
AtomicReference<List<Proxy>> resultHolder = new AtomicReference<>(null); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be moved into the else
-block. No need to hold it in the outer context.
Issue
We need to restrict the PAC scripts with high cpu consumption that could lead to crash
Changes
Added time limit to PAC script execution.
Added a config in ProxySettings - pacScriptTimeout with default value set to 60 sec
Added tests for the same