Changeset View
Standalone View
src/filesystem/__tests__/PhutilProcessRefTestCase.php
- This file was added.
<?php | |||||
final class PhutilProcessRefTestCase | |||||
extends PhutilTestCase { | |||||
public function testIdentifyOverseerProcess() { | |||||
// Test if various process argument vectors are correctly identified as | |||||
// daemon overseer processes or not. We're hoping to identify legitimate | |||||
amckinley: "correctly" | |||||
// daemons and ignore false positives for processes with titles that look | |||||
// similar but are not really daemons, like "grep phd-daemon". | |||||
Not Done Inline ActionsObviously this isn't robust in the face of an attacker who is deliberately trying to get clever with argv. Also note that you can (in a non-portable way) overwrite an existing process's argv. That said, I don't think there's a practical attack here? If an attacker already controls a sandboxed process and wants to kill it, they don't need to get tricky by making a Phabricator bin script send a signal; they can just crash the process themselves. amckinley: Obviously this isn't robust in the face of an attacker who is deliberately trying to get clever… | |||||
Done Inline ActionsYeah, I don't think we have to worry about an adversary writing a process which they trick us into sending a signal to, or an adversary who can edit process titles having difficulty sending a signal. This approach stops an adversary who can edit PID files from tricking us into sending signals to arbitrary processes they do not control. epriestley: Yeah, I don't think we have to worry about an adversary writing a process which they trick us… | |||||
$tests = array( | |||||
array( | |||||
array('php', 'phd-daemon'), | |||||
true, | |||||
), | |||||
array( | |||||
array('/path/to/php', '/path/to/phd-daemon'), | |||||
true, | |||||
), | |||||
array( | |||||
array('/path/to/phd-daemon'), | |||||
true, | |||||
), | |||||
array( | |||||
array('phd-daemon'), | |||||
true, | |||||
), | |||||
array( | |||||
array('php', 'phd-daemon', '-l', 'instance-label'), | |||||
true, | |||||
), | |||||
array( | |||||
array('grep phd-daemon'), | |||||
false, | |||||
), | |||||
array( | |||||
array('this-is-a-phd-daemon'), | |||||
false, | |||||
), | |||||
); | |||||
foreach ($tests as $case) { | |||||
list($argv, $expect) = $case; | |||||
$ref = id(new PhutilProcessRef()) | |||||
->setArgv($argv); | |||||
$actual = $ref->getIsOverseer(); | |||||
$this->assertEqual( | |||||
$expect, | |||||
$actual, | |||||
pht('argv: %s', implode(' ', $argv))); | |||||
} | |||||
} | |||||
} |
"correctly"