Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Travis worker vulnerability #349

Closed
nusco opened this Issue · 6 comments

3 participants

@nusco

The tests in my Travisized project ( nusco/cuukie ) fork a separate process containing a Sinatra server. To avoid polluting the test console, they redirect the output to dev/null. Like this:

Process.detach fork { exec "ruby lib/server.rb >& /dev/null" }

When I pushed this, all my Travis workers crashed. Apparently, that command fails under Ubuntu for reasons explained here: http://blog.stefan-weigand.de/2008/09/23/syntax-error-bad-fd-number/. Travis doesn't protect itself from that.

I fixed this specific situation by changing my code to:

Process.detach fork { exec "ruby lib/server.rb >/dev/null 2>&1" }

I might look into Travis to find a way to avoid crashing it again in the future. :) However, I'm not sure I will issue a pull request in the next few days, so here is an issue to avoid forgetting about it. ;)

@michaelklishin

Can you be more specific about "crashed"? Your test suite runs in a snapshotted VM, it cannot possibly affect host OS. If some kind of output causes exceptions in the worker, we need to know what project can be used to reproduce and link to the stack trace.

@michaelklishin

Sounds like the worst thing that can happen with a shell syntax error is incomplete shell input that will hang worker up. We deployed a different timeout implementation just yesterday that should terminate incomplete commands.

@joshk
Owner

Hey @nusco,

Sorry its taken so long to reply to this.

Thank you for the detailed report!

Are you referring to this error : http://travis-ci.org/#!/nusco/cuukie/jobs/368382

If so, I don't think its a vulnerability as all tests are run in vms over ssh connections. If the test fails like this then we just clean up the vm and all is good again.

Let me know if I have got this wrong, I will close the issue for now but feel free to reopen it if I have misunderstood.

Thanks a bundle!

Josh

@joshk joshk closed this
@nusco

@joshk, @michaelklishin : Yes, that was the error - and yeah, it's closed. Describing it as a "vulnerability" was my mistake. Thanks!

@joshk
Owner

Thanks for reporting it @nusco, have a fantastic Xmas and New Year! :)

@nusco

@joshk, same to you all, and sorry for the confusion. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.