search

arduino / arduino-cli

Arduino command line tool
https://arduino.github.io/arduino-cli/latest/
GNU General Public License v3.0
4.24k stars 370 forks source link

#include "/dev/random" #2582

Closed Alfrederson closed 2 months ago

Alfrederson commented 2 months ago

Describe the problem

If you include /dev/random, /etc/passwd or any other system file, gcc will happily include it, leading to all sorts of consequences

To reproduce

1- Install the arduino AVR core

./arduino-cli core install arduino:avr

2- Create a test sketch

./arduino-cli sketch new crash

3- Put this thing in the .ino file:

#include "/etc/passwd"
void setup(){

}
void loop(){

}

4- Compile with:

./arduino-cli compile --fqbn arduino:avr:uno /home/chan/crash

5- Output:

In file included from /home/chan/crash/crash.ino:1:0:
/etc/passwd:1:5: error: found ':' in nested-name-specifier, expected '::'
 root:x:0:0:root:/root:/bin/bash
     ^
/etc/passwd:1:1: error: 'root' does not name a type; did you mean 'loop'?
 root:x:0:0:root:/root:/bin/bash
 ^~~~
 loop

Used platform Version Path
arduino:avr   1.8.6   /home/chan/.arduino15/packages/arduino/hardware/avr/1.8.6
Error during build: exit status 1

Expected behavior

This is actually what is expected out of GCC, but if you're running a cloud compiling service, it will mean your system is vulnerable to being taken down by #include "/dev/random" , for example. For example: on Google Cloud Run, this causes a container with the compiler to use up all its available memory and die.

Without making any change to arduino-cli itself, is it possible to sandbox the compile so that it has no access to the file system outside of the libraries directory? I'm assuming there's a linuxy way of doing this, but I'm not that good at linux.

Adding a "include filtering phase" before or after the library detection phase would probably fix it. In what section of the source code could this be implemented?

Arduino CLI version

arduino-cli Version: nightly-20240412 Commit: 2d66dfa Date: 2024-04-12T01:27:41Z

Operating system

Linux

Operating system version

Linux DESKTOP-ACP0IT4 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 GNU/Linux

Additional context

No response

Issue checklist

per1234 commented 2 months ago

Thanks for taking the time to submit a report @Alfrederson. This is out of scope for the Arduino CLI project so I will close this.

If you would like assistance with implementing some sort of filter or sandbox to prevent such a thing in your application, you are welcome to post over on Arduino Forum.