mirror of
https://github.com/searxng/searxng.git
synced 2024-09-23 20:10:08 +00:00
[mod] hardening "calculator plugin" / limit execution time to 50 ms
The execution of the function for the calculation is outsourced to a process whose runtime is limited to 50 milliseconds. Related: - [1] https://github.com/searxng/searxng/pull/3377#issuecomment-2067977375 Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
This commit is contained in:
Markus Heiser
Markus Heiser
parent
7d9d5186a0
commit
3a3ff8f020
1 changed files with 37 additions and 6 deletions
|
|
@ -4,10 +4,13 @@
|
||||||
|
|
||||||
import ast
|
import ast
|
||||||
import operator
|
import operator
|
||||||
|
from multiprocessing import Process, Queue
|
||||||
|
|
||||||
from flask_babel import gettext
|
from flask_babel import gettext
|
||||||
from searx import settings
|
from searx import settings
|
||||||
|
|
||||||
|
from searx.plugins import logger
|
||||||
|
|
||||||
name = "Basic Calculator"
|
name = "Basic Calculator"
|
||||||
description = gettext("Calculate mathematical expressions via the search bar")
|
description = gettext("Calculate mathematical expressions via the search bar")
|
||||||
default_on = False
|
default_on = False
|
||||||
|
|
@ -15,6 +18,8 @@ default_on = False
|
||||||
preference_section = 'general'
|
preference_section = 'general'
|
||||||
plugin_id = 'calculator'
|
plugin_id = 'calculator'
|
||||||
|
|
||||||
|
logger = logger.getChild(plugin_id)
|
||||||
|
|
||||||
operators = {
|
operators = {
|
||||||
ast.Add: operator.add,
|
ast.Add: operator.add,
|
||||||
ast.Sub: operator.sub,
|
ast.Sub: operator.sub,
|
||||||
|
|
@ -51,6 +56,30 @@ def _eval(node):
|
||||||
raise TypeError(node)
|
raise TypeError(node)
|
||||||
|
|
||||||
|
|
||||||
|
def timeout_func(timeout, func, *args, **kwargs):
|
||||||
|
|
||||||
|
def handler(q: Queue, func, args, **kwargs): # pylint:disable=invalid-name
|
||||||
|
try:
|
||||||
|
q.put(func(*args, **kwargs))
|
||||||
|
except:
|
||||||
|
q.put(None)
|
||||||
|
raise
|
||||||
|
|
||||||
|
que = Queue()
|
||||||
|
p = Process(target=handler, args=(que, func, args), kwargs=kwargs)
|
||||||
|
p.start()
|
||||||
|
p.join(timeout=timeout)
|
||||||
|
ret_val = None
|
||||||
|
if not p.is_alive():
|
||||||
|
ret_val = que.get()
|
||||||
|
else:
|
||||||
|
logger.debug("terminate function after timeout is exceeded")
|
||||||
|
p.terminate()
|
||||||
|
p.join()
|
||||||
|
p.close()
|
||||||
|
return ret_val
|
||||||
|
|
||||||
|
|
||||||
def post_search(_request, search):
|
def post_search(_request, search):
|
||||||
# don't run on public instances due to possible attack surfaces
|
# don't run on public instances due to possible attack surfaces
|
||||||
if settings['server']['public_instance']:
|
if settings['server']['public_instance']:
|
||||||
|
|
@ -74,13 +103,15 @@ def post_search(_request, search):
|
||||||
|
|
||||||
# in python, powers are calculated via **
|
# in python, powers are calculated via **
|
||||||
query_py_formatted = query.replace("^", "**")
|
query_py_formatted = query.replace("^", "**")
|
||||||
try:
|
|
||||||
result = str(_eval_expr(query_py_formatted))
|
# Prevent the runtime from being longer than 50 ms
|
||||||
|
result = timeout_func(0.05, _eval_expr, query_py_formatted)
|
||||||
|
if result is None:
|
||||||
|
return True
|
||||||
|
result = str(result)
|
||||||
|
|
||||||
if result != query:
|
if result != query:
|
||||||
search.result_container.answers['calculate'] = {'answer': f"{query} = {result}"}
|
search.result_container.answers['calculate'] = {'answer': f"{query} = {result}"}
|
||||||
except (TypeError, SyntaxError, ArithmeticError):
|
|
||||||
pass
|
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue