search

liuly0322 / l-plugin

L-Plugin for Yunzai-Bot
MIT License
25 stars 1 forks source link

未对 docker 限制可以使用 Python 执行恶意代码占用大量系统资源使服务器失去响应 #10

Closed UPON-2021 closed 2 years ago

UPON-2021 commented 2 years ago

运行环境

[root@iZhp31cfwc53651d4rso65Z ~]# lsb_release  -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description:    CentOS Linux release 7.9.2009 (Core)
Release:    7.9.2009
Codename:   Core
[root@iZhp31cfwc53651d4rso65Z ~]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                2
On-line CPU(s) list:   0,1
Thread(s) per core:    2
Core(s) per socket:    1
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 85
Model name:            Intel(R) Xeon(R) Platinum 8269CY CPU @ 2.50GHz
Stepping:              7
CPU MHz:               2500.000
BogoMIPS:              5000.00
Hypervisor vendor:     KVM
Virtualization type:   full
L1d cache:             32K
L1i cache:             32K
L2 cache:              1024K
L3 cache:              36608K
NUMA node0 CPU(s):     0,1
Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat avx512_vnni
[root@iZhp31cfwc53651d4rso65Z ~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           1734         680         168           0         886         899
Swap:             0           0           0

输入

python
import os
while 1:
    os.fork()

原理: https://zh.wikipedia.org/zh-cn/Fork%E7%82%B8%E5%BC%B9#%E9%A2%84%E9%98%B2

问题代码

https://github.com/liuly0322/l-plugin/blob/main/apps/python.js 第40行

      let { stdout } = await execPromise(`sudo docker run -i --rm ubuntu-python-playground-img < ${fileName}`)

建议添加参数 -m 和 --cpuset 对docker限制

liuly0322 commented 2 years ago

参考别的项目解决方法

https://github.com/dodona-edu/dodona/pull/709

添加 --pids-limit 256 

sudo docker run -i --pids-limit 256 --rm ubuntu-python-playground-img

fixed in commit: https://github.com/liuly0322/l-plugin/commit/18fb7f30796c587d5caf1e92d4ca74dd31fc0007