Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(builtin): fix node patches subprocess sandbox propogation #2017

Merged
merged 1 commit into from
Jul 9, 2020

Conversation

gregmagolan
Copy link
Collaborator

@gregmagolan gregmagolan commented Jul 8, 2020

Two fixes here.

  1. Set --preserve-symlinks --preserve-symlinks-main in the generated _node_bin/node which comes from ${process.env.NODE_REPOSITORY_ARGS}. This will prevent the --require /path/to/node_patches.js from being resolved to its location outside of the sandbox.

  2. However, if preserve_symlinks=false, which is still an option, the 2nd fix is to honour the value of NP_SUBPROCESS_NODE_DIR when running node_patches.js for the subprocess. Even if node_patches.js is resolved to outside of the sandbox for the subprocess and runs from there, it will still look for _node_bin/node within the sandbox.

The two fixes will prevent the process.argv[0] && process.execPath from being set to an invalid path outside of the sandbox such as /private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node in internal/node/node_patches.js (which comes from packages/node-patches/src/subprocess.ts):

process.argv[0] = process.execPath = path.join(nodeDir, 'node');

if this does happen then the failure mode is /private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node ENOENT:

ERROR: /Users/gregmagolan/robinhood/rh/bazel/example/web/BUILD.bazel:30:14: Action bazel/example/web/build failed (Exit 1) react-scripts.sh failed: error executing command bazel-out/host/bin/external/bazel_example_web_deps/react-scripts/bin/react-scripts.sh '--node_options=--require=./bazel-out/darwin-fastbuild/bin/bazel/example/web/chdir.js' build ... (remaining 2 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox
events.js:187
      throw er; // Unhandled 'error' event
      ^

Error: spawn /private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node ENOENT
    at Process.ChildProcess._handle.onexit (internal/child_process.js:264:19)
    at onErrorNT (internal/child_process.js:456:16)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)
Emitted 'error' event on ChildProcess instance at:
    at Process.ChildProcess._handle.onexit (internal/child_process.js:270:12)
    at onErrorNT (internal/child_process.js:456:16)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: 'ENOENT',
  code: 'ENOENT',
  syscall: 'spawn /private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node',
  path: '/private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node',
  spawnargs: [
    '--max-old-space-size=2048',
    '/private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/sandbox/darwin-sandbox/18/execroot/rh/node_modules/fork-ts-checker-webpack-plugin/lib/service.js'
  ]
}
CWD /private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/sandbox/darwin-sandbox/18/execroot/rh
__dirname /private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/sandbox/darwin-sandbox/18/execroot/rh/bazel-out/darwin-fastbuild/bin/bazel/example/web
Creating an optimized production build...
INFO: Elapsed time: 42.717s, Critical Path: 17.45s
INFO: 17 processes: 17 darwin-sandbox.
FAILED: Build did NOT complete successfully

PR Checklist

Please check if your PR fulfills the following requirements:

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature (please, look at the "Scope of the project" section in the README.md file)
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@gregmagolan gregmagolan force-pushed the fix_patch_dir branch 6 times, most recently from 1d83e64 to 519eaf0 Compare July 9, 2020 01:37
@gregmagolan gregmagolan marked this pull request as ready for review July 9, 2020 01:43
@gregmagolan gregmagolan changed the title fix(builtin): fix node patches subprocess dir propogation fix(builtin): fix node patches subprocess sandbox propogation Jul 9, 2020
Two fixes here.

Set --preserve-symlinks --preserve-symlinks-main in the generated _node_bin/node which comes from ${process.env.NODE_REPOSITORY_ARGS}. This will prevent the --require /path/to/node_patches.js from being resolved to its location outside of the sandbox.

However, if preserve_symlinks=false, which is still an option, the 2nd fix is to honour the value of NP_SUBPROCESS_NODE_DIR when running node_patches.js for the subprocess. Even if node_patches.js is resolved to outside of the sandbox for the subprocess and run from there, it will still look for _node_bin/node within the sandbox.
@@ -316,13 +316,13 @@ _int() {
set +e

if [[ -n "${STDOUT_CAPTURE}" ]] && [[ -n "${STDERR_CAPTURE}" ]]; then
"${node}" "${LAUNCHER_NODE_OPTIONS[@]:-}" "${USER_NODE_OPTIONS[@]:-}" "${MAIN}" ${ARGS[@]+"${ARGS[@]}"} <&0 >$STDOUT_CAPTURE 2>$STDERR_CAPTURE &
"${node}" ${LAUNCHER_NODE_OPTIONS[@]+"${LAUNCHER_NODE_OPTIONS[@]}"} ${USER_NODE_OPTIONS[@]+"${USER_NODE_OPTIONS[@]}"} "${MAIN}" ${ARGS[@]+"${ARGS[@]}"} <&0 >$STDOUT_CAPTURE 2>$STDERR_CAPTURE &
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this block has gotten pretty crazy, no suggestion for simplifying though

Copy link
Collaborator Author

@gregmagolan gregmagolan Jul 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that as well. Didn't want to touch it yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants