Isolate databases/queries from one-another

Cargo.toml

@@ -6,6 +6,7 @@ description = "ayb makes it easy to create, host, and share embedded databases l
 homepage = "https://github.com/marcua/ayb"
 documentation = "https://github.com/marcua/ayb#readme"
 license = "Apache-2.0"
+default-run = "ayb"
 
 [dependencies]
 actix-web = { version = "4.4.0" }
@@ -19,14 +20,14 @@ fernet = { version = "0.2.1" }
 lettre = { version = "0.10.4", features = ["tokio1-native-tls"] }
 quoted_printable = { version = "0.5.0" }
 reqwest = { version = "0.11.22", features = ["json"] }
-rusqlite = { version = "0.27.0", features = ["bundled"] }
+rusqlite = { version = "0.27.0", features = ["bundled", "limits"] }
 regex = { version = "1.10.2"}
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0.108" }
 serde_repr = { version = "0.1.17" }
 sqlx = { version = "0.6.3", features = ["runtime-actix-native-tls", "postgres", "sqlite"] }
 toml = { version = "0.8.8" }
-tokio = { version = "1.35.1", features = ["macros", "rt"] }
+tokio = { version = "1.35.1", features = ["macros", "process", "rt"] }
 prefixed-api-key = { version = "0.1.0", features = ["sha2"]}
 prettytable-rs = { version = "0.10.0"}
 urlencoding = { version = "2.1.3" }
@@ -36,3 +37,11 @@ url = { version = "2.5.0", features = ["serde"] }
 [dev-dependencies]
 assert_cmd = "2.0"
 assert-json-diff = "2.0.2"
+
+[[bin]]
+name = "ayb"
+path = "src/bin/ayb.rs"
+
+[[bin]]
+name = "ayb_isolated_runner"
+path = "src/bin/ayb_isolated_runner.rs"

scripts/build_nsjail.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+git clone https://github.com/google/nsjail.git nsjail-checkout
+cd nsjail-checkout
+make
+mv nsjail ..
+cd ..
+rm -rf nsjail-checkout
+

src/bin/ayb_isolated_runner.rs

@@ -0,0 +1,16 @@
+use ayb::hosted_db::sqlite::query_sqlite;
+use serde_json;
+use std::env;
+use std::path::PathBuf;
+
+fn main() -> Result<(), serde_json::Error> {
+    let args: Vec<String> = env::args().collect();
+    let db_file = &args[1];
+    let query = (&args[2..]).to_vec();
+    let result = query_sqlite(&PathBuf::from(db_file), &query.join(" "));
+    match result {
+        Ok(result) => println!("{}", serde_json::to_string(&result)?),
+        Err(error) => eprintln!("{}", serde_json::to_string(&error)?),
+    }
+    Ok(())
+}

src/hosted_db.rs

@@ -1,9 +1,11 @@
 pub mod paths;
-mod sqlite;
+mod sandbox;
+pub mod sqlite;
 
 use crate::ayb_db::models::DBType;
 use crate::error::AybError;
 use crate::hosted_db::sqlite::run_sqlite_query;
+use crate::http::structs::AybConfigIsolation;
 use prettytable::{format, Cell, Row, Table};
 use serde::{Deserialize, Serialize};
 use std::path::PathBuf;
@@ -53,9 +55,14 @@ impl QueryResult {
     }
 }
 
-pub fn run_query(path: &PathBuf, query: &str, db_type: &DBType) -> Result<QueryResult, AybError> {
+pub async fn run_query(
+    path: &PathBuf,
+    query: &str,
+    db_type: &DBType,
+    isolation: &Option<AybConfigIsolation>,
+) -> Result<QueryResult, AybError> {
     match db_type {
-        DBType::Sqlite => Ok(run_sqlite_query(path, query)?),
+        DBType::Sqlite => Ok(run_sqlite_query(path, query, isolation).await?),
         _ => Err(AybError::Other {
             message: "Unsupported DB type".to_string(),
         }),

src/hosted_db/paths.rs

@@ -6,13 +6,22 @@ pub fn database_path(
     entity_slug: &str,
     database_slug: &str,
     data_path: &str,
+    create_database: bool,
 ) -> Result<PathBuf, AybError> {
     let mut path: PathBuf = [data_path, entity_slug].iter().collect();
-    if let Err(e) = fs::create_dir_all(&path) {
-        return Err(AybError::Other {
-            message: format!("Unable to create entity path for {}: {}", entity_slug, e),
-        });
+    if create_database {
+        if let Err(e) = fs::create_dir_all(&path) {
+            return Err(AybError::Other {
+                message: format!("Unable to create entity path for {}: {}", entity_slug, e),
+            });
+        }
     }
+
     path.push(database_slug);
+
+    if create_database && !path.exists() {
+        fs::File::create(path.clone())?;
+    }
+
     Ok(path)
 }

src/hosted_db/sandbox.rs

@@ -0,0 +1,120 @@
+/* Retrieved and modified from
+  https://raw.githubusercontent.com/Defelo/sandkasten/83f629175d02ebc70fbb16b8b9e05663ea67ccc7/src/sandbox.rs
+  On December 6, 2023.
+  Original license: MIT.
+*/
+
+use crate::error::AybError;
+use serde::{Deserialize, Serialize};
+use std::env::current_exe;
+use std::fs::canonicalize;
+use std::{
+    path::{Path, PathBuf},
+    process::Stdio,
+};
+use tokio::io::{AsyncReadExt, BufReader};
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct RunResult {
+    /// The exit code of the processes.
+    pub status: i32,
+    /// The stdout output the process produced.
+    pub stdout: String,
+    /// The stderr output the process produced.
+    pub stderr: String,
+}
+
+pub async fn run_in_sandbox(
+    nsjail: &Path,
+    db_path: &PathBuf,
+    query: &str,
+) -> Result<RunResult, AybError> {
+    let mut cmd = tokio::process::Command::new(nsjail);
+
+    cmd.arg("--really_quiet") // log fatal messages only
+        .arg("--iface_no_lo")
+        .args(["--mode", "o"]) // run once
+        .args(["--hostname", "ayb"])
+        .args(["--bindmount_ro", "/lib:/lib"])
+        .args(["--bindmount_ro", "/lib64:/lib64"])
+        .args(["--bindmount_ro", "/usr:/usr"])
+        .args(["--mount", "none:/tmp:tmpfs:size=100000000"]) // TODO(marcua): Restrict disk size more configurably?
+        // TODO(marcua): Set resource limits more configurably?
+        .args(["--max_cpus", "1"])
+        .args(["--rlimit_as", "64"]) // in MB
+        .args(["--time_limit", "10"]) // in seconds
+        .args(["--rlimit_fsize", "75"]) // in MB
+        .args(["--rlimit_nofile", "10"])
+        .args(["--rlimit_nproc", "2"]);
+
+    // Generate a /local/path/to/file:/tmp/file mapping.
+    let absolute_db_path = canonicalize(db_path)?;
+    let db_file_name = absolute_db_path
+        .file_name()
+        .ok_or(AybError::Other {
+            message: format!("Invalid DB path {}", absolute_db_path.display()),
+        })?
+        .to_str()
+        .ok_or(AybError::Other {
+            message: format!("Invalid DB path {}", absolute_db_path.display()),
+        })?;
+    let tmp_db_path = Path::new("/tmp").join(db_file_name);
+    let db_file_mapping = format!("{}:{}", absolute_db_path.display(), tmp_db_path.display());
+    cmd.args(["--bindmount", &db_file_mapping]);
+
+    // Generate a /local/path/to/ayb_isolated_runner:/tmp/ayb_isolated_runner mapping.
+    let ayb_path = current_exe()?;
+    let isolated_runner_path = ayb_path
+        .parent()
+        .ok_or(AybError::Other {
+            message: format!(
+                "Unable to find parent directory of ayb from {}",
+                ayb_path.display()
+            ),
+        })?
+        .join("ayb_isolated_runner");
+    cmd.args([
+        "--bindmount_ro",
+        &format!(
+            "{}:/tmp/ayb_isolated_runner",
+            isolated_runner_path.display()
+        ),
+    ]);
+
+    let mut child = cmd
+        .arg("--")
+        .arg("/tmp/ayb_isolated_runner")
+        .arg(tmp_db_path)
+        .arg(query)
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .stdin(Stdio::piped())
+        .spawn()?;
+
+    let stdout_reader = BufReader::new(child.stdout.take().unwrap());
+    let stderr_reader = BufReader::new(child.stderr.take().unwrap());
+
+    let output = child.wait_with_output().await?;
+
+    // read stdout and stderr from process
+    let mut stdout = Vec::new();
+    let mut stderr = Vec::new();
+    stdout_reader
+        .take(1024 * 1024 * 1024)
+        .read_to_end(&mut stdout)
+        .await?;
+    stderr_reader
+        .take(1024 * 1024 * 1024)
+        .read_to_end(&mut stderr)
+        .await?;
+    let stdout = String::from_utf8_lossy(&stdout).into_owned();
+    let stderr = String::from_utf8_lossy(&stderr).into_owned();
+
+    Ok(RunResult {
+        status: output.status.code().ok_or(AybError::Other {
+            message: "Process exited with signal".to_string(),
+        })?,
+        stdout,
+        stderr,
+    })
+}

src/hosted_db/sqlite.rs

@@ -1,11 +1,22 @@
 use crate::error::AybError;
-use crate::hosted_db::QueryResult;
-use rusqlite;
+use crate::hosted_db::{sandbox::run_in_sandbox, QueryResult};
+use crate::http::structs::AybConfigIsolation;
+use rusqlite::config::DbConfig;
+use rusqlite::limits::Limit;
 use rusqlite::types::ValueRef;
-use std::path::PathBuf;
+use serde_json;
+use std::path::{Path, PathBuf};
 
-pub fn run_sqlite_query(path: &PathBuf, query: &str) -> Result<QueryResult, AybError> {
+pub fn query_sqlite(path: &PathBuf, query: &str) -> Result<QueryResult, AybError> {
     let conn = rusqlite::Connection::open(path)?;
+
+    // Disable the usage of ATTACH
+    // https://www.sqlite.org/lang_attach.html
+    conn.set_limit(Limit::SQLITE_LIMIT_ATTACHED, 0);
+    // Prevent queries from deliberately corrupting the database
+    // https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+    conn.db_config(DbConfig::SQLITE_DBCONFIG_DEFENSIVE)?;
+
     let mut prepared = conn.prepare(query)?;
     let num_columns = prepared.column_count();
     let mut fields: Vec<String> = Vec::new();
@@ -36,3 +47,35 @@ pub fn run_sqlite_query(path: &PathBuf, query: &str) -> Result<QueryResult, AybE
         rows: results,
     })
 }
+
+pub async fn run_sqlite_query(
+    path: &PathBuf,
+    query: &str,
+    isolation: &Option<AybConfigIsolation>,
+) -> Result<QueryResult, AybError> {
+    match isolation {
+        Some(isolation) => {
+            let result = run_in_sandbox(Path::new(&isolation.nsjail_path), path, query).await?;
+
+            if result.stderr.len() > 0 {
+                let error: AybError = serde_json::from_str(&result.stderr)?;
+                Err(error)
+            } else if result.status != 0 {
+                Err(AybError::Other {
+                    message: format!(
+                        "Error status from sandboxed query runner: {}",
+                        result.status.to_string()
+                    ),
+                })
+            } else if result.stdout.len() > 0 {
+                let query_result: QueryResult = serde_json::from_str(&result.stdout)?;
+                Ok(query_result)
+            } else {
+                Err(AybError::Other {
+                    message: "No results from sandboxed query runner".to_string(),
+                })
+            }
+        }
+        None => Ok(query_sqlite(path, query)?.into()),
+    }
+}

src/http/config.rs

@@ -33,6 +33,7 @@ pub fn default_server_config() -> AybConfig {
             origin: "*".to_string(),
         },
         web: None,
+        isolation: None,
     }
 }
 

src/http/endpoints/create_database.rs

@@ -4,9 +4,9 @@ use std::str::FromStr;
 
 use crate::error::AybError;
 
+use crate::hosted_db::paths::database_path;
 use crate::http::permissions::can_create_database;
-use crate::http::structs::{Database as APIDatabase, EntityDatabasePath};
-
+use crate::http::structs::{AybConfig, Database as APIDatabase, EntityDatabasePath};
 use crate::http::utils::{get_header, unwrap_authenticated_entity};
 use actix_web::{post, web, HttpRequest, HttpResponse};
 
@@ -15,6 +15,7 @@ async fn create_database(
     path: web::Path<EntityDatabasePath>,
     req: HttpRequest,
     ayb_db: web::Data<Box<dyn AybDb>>,
+    ayb_config: web::Data<AybConfig>,
     authenticated_entity: Option<web::ReqData<InstantiatedEntity>>,
 ) -> Result<HttpResponse, AybError> {
     let entity_slug = &path.entity;
@@ -28,6 +29,8 @@ async fn create_database(
     let authenticated_entity = unwrap_authenticated_entity(&authenticated_entity)?;
     if can_create_database(&authenticated_entity, &entity) {
         let created_database = ayb_db.create_database(&database).await?;
+        // Create the database file at the appropriate path
+        let _ = database_path(entity_slug, &path.database, &ayb_config.data_path, true)?;
         Ok(HttpResponse::Created().json(APIDatabase::from_persisted(&entity, &created_database)))
     } else {
         Err(AybError::Other {

src/http/endpoints/query.rs

@@ -25,8 +25,8 @@ async fn query(
 
     if can_query(&authenticated_entity, &database) {
         let db_type = DBType::try_from(database.db_type)?;
-        let db_path = database_path(entity_slug, database_slug, &ayb_config.data_path)?;
-        let result = run_query(&db_path, &query, &db_type)?;
+        let db_path = database_path(entity_slug, database_slug, &ayb_config.data_path, false)?;
+        let result = run_query(&db_path, &query, &db_type, &ayb_config.isolation).await?;
         Ok(web::Json(result))
     } else {
         Err(AybError::Other {

src/http/structs.rs

@@ -32,6 +32,11 @@ pub struct AybConfigEmail {
     pub smtp_password: String,
 }
 
+#[derive(Clone, Serialize, Deserialize)]
+pub struct AybConfigIsolation {
+    pub nsjail_path: String,
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 pub struct AybConfig {
     pub host: String,
@@ -43,6 +48,7 @@ pub struct AybConfig {
     pub email: AybConfigEmail,
     pub web: Option<AybConfigWeb>,
     pub cors: AybConfigCors,
+    pub isolation: Option<AybConfigIsolation>,
 }
 
 impl AybConfig {

tests/test-server-config-postgres.toml

@@ -18,3 +18,6 @@ token_expiration_seconds = 3600
 
 [cors]
 origin = "*"
+
+[isolation]
+nsjail_path = "tests/nsjail"

tests/test-server-config-sqlite.toml

@@ -18,3 +18,6 @@ token_expiration_seconds = 3600
 
 [cors]
 origin = "*"
+
+[isolation]
+nsjail_path = "tests/nsjail"