Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Timecap on execution of PAC script #8036

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

subhash-arabhi
Copy link
Contributor

Issue

We need to restrict the PAC scripts with high cpu consumption that could lead to crash

Changes

Added time limit to PAC script execution.
Added a config in ProxySettings - pacScriptTimeout with default value set to 60 sec
Added tests for the same

@matthiasblaesing matthiasblaesing added the Platform [ci] enable platform tests (platform/*) label Dec 22, 2024
Copy link
Contributor

@matthiasblaesing matthiasblaesing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general looks sane to me, but I left two inline comments. Please squash the commits into a single one.

Comment on lines +203 to +204
private static class RPSingleton { private static final RequestProcessor instance = new RequestProcessor(NbPacScriptEvaluator.class.getName(), Runtime.getRuntime().availableProcessors(), true, false); }
private static RequestProcessor getRequestProcessor() { return RPSingleton.instance; }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this complex construct? Why not just

private static final RequestProcessor RP = new RequestProcessor(NbPacScriptEvaluator.class.getName(), Runtime.getRuntime().availableProcessors(), true, false);

This is done all over the code base. The proposed style looks overly complex without clear benefits.

Why the limit to number available processors? For a real PAC script I would expect it to be throttled by network IO (DNS look ups for example). If high CPU usage is the problem (and thus an attacker is expected), I would go with a throughput of 1.

@@ -213,7 +219,8 @@ public NbPacScriptEvaluator(String pacSourceCocde) throws PacParsingException {
@Override
public List<Proxy> findProxyForURL(URI uri) throws PacValidationException {

List<Proxy> jsResultAnalyzed;
AtomicReference<List<Proxy>> resultHolder = new AtomicReference<>(null);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be moved into the else-block. No need to hold it in the outer context.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Platform [ci] enable platform tests (platform/*)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants