Travis worker vulnerability #349

nusco opened this Issue Dec 3, 2011 · 6 comments


None yet
3 participants

nusco commented Dec 3, 2011

The tests in my Travisized project ( nusco/cuukie ) fork a separate process containing a Sinatra server. To avoid polluting the test console, they redirect the output to dev/null. Like this:

Process.detach fork { exec "ruby lib/server.rb >& /dev/null" }

When I pushed this, all my Travis workers crashed. Apparently, that command fails under Ubuntu for reasons explained here: Travis doesn't protect itself from that.

I fixed this specific situation by changing my code to:

Process.detach fork { exec "ruby lib/server.rb >/dev/null 2>&1" }

I might look into Travis to find a way to avoid crashing it again in the future. :) However, I'm not sure I will issue a pull request in the next few days, so here is an issue to avoid forgetting about it. ;)


michaelklishin commented Dec 24, 2011

Can you be more specific about "crashed"? Your test suite runs in a snapshotted VM, it cannot possibly affect host OS. If some kind of output causes exceptions in the worker, we need to know what project can be used to reproduce and link to the stack trace.


michaelklishin commented Dec 24, 2011

Sounds like the worst thing that can happen with a shell syntax error is incomplete shell input that will hang worker up. We deployed a different timeout implementation just yesterday that should terminate incomplete commands.


joshk commented Dec 24, 2011

Hey @nusco,

Sorry its taken so long to reply to this.

Thank you for the detailed report!

Are you referring to this error :!/nusco/cuukie/jobs/368382

If so, I don't think its a vulnerability as all tests are run in vms over ssh connections. If the test fails like this then we just clean up the vm and all is good again.

Let me know if I have got this wrong, I will close the issue for now but feel free to reopen it if I have misunderstood.

Thanks a bundle!


@joshk joshk closed this Dec 24, 2011

nusco commented Dec 26, 2011

@joshk, @michaelklishin : Yes, that was the error - and yeah, it's closed. Describing it as a "vulnerability" was my mistake. Thanks!


joshk commented Dec 26, 2011

Thanks for reporting it @nusco, have a fantastic Xmas and New Year! :)

nusco commented Dec 27, 2011

@joshk, same to you all, and sorry for the confusion. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment