prosody
53e0ae770917
tools/modtrace.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

tools/modtrace.lua @ 12180:53e0ae770917

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 11197:50f182931bdd
child 12589:39ae08180c81
line wrap: on
line source

-- Trace module calls and method calls on created objects
--
-- Very rough and for debugging purposes only. It makes many
-- assumptions and there are many ways it could fail.
--
-- Example use:
--
--   local dbuffer = require "tools.modtrace".trace("util.dbuffer");
--

local t_pack = require "util.table".pack;
local serialize = require "util.serialization".serialize;
local unpack = table.unpack or unpack; --luacheck: ignore 113
local set = require "util.set";

local serialize_cfg = {
	preset = "oneline";
	freeze = true;
	fatal = false;
	fallback = function (v) return "<"..tostring(v)..">" end;
};

local function stringify_value(v)
	if type(v) == "string" and #v > 20 then
		return ("<string(%d)>"):format(#v);
	elseif type(v) == "function" then
		return tostring(v);
	end
	return serialize(v, serialize_cfg);
end

local function stringify_params(...)
	local n = select("#", ...);
	local r = {};
	for i = 1, n do
		table.insert(r, stringify_value((select(i, ...))));
	end
	return table.concat(r, ", ");
end

local function stringify_result(ret)
	local r = {};
	for i = 1, ret.n do
		table.insert(r, stringify_value(ret[i]));
	end
	return table.concat(r, ", ");
end

local function stringify_call(method_name, ...)
	return ("%s(%s)"):format(method_name, stringify_params(...));
end

local function wrap_method(original_obj, original_method, method_name)
	method_name = ("<%s>:%s"):format(getmetatable(original_obj).__name or "object", method_name);
	return function (new_obj_self, ...)
		local opts = new_obj_self._modtrace_opts;
		local f = opts.output or io.stderr;
		f:write(stringify_call(method_name, ...));
		local ret = t_pack(original_method(original_obj, ...));
		if ret.n > 0 then
			f:write(" = ", stringify_result(ret), "\n");
		else
			f:write("\n");
		end
		return unpack(ret, 1, ret.n);
	end;
end

local function wrap_function(original_function, function_name, opts)
	local f = opts.output or io.stderr;
	return function (...)
		f:write(stringify_call(function_name, ...));
		local ret = t_pack(original_function(...));
		if ret.n > 0 then
			f:write(" = ", stringify_result(ret), "\n");
		else
			f:write("\n");
		end
		return unpack(ret, 1, ret.n);
	end;
end

local function wrap_metamethod(name, method)
	if name == "__index" then
		return function (new_obj, k)
			local original_method;
			if type(method) == "table" then
				original_method = new_obj._modtrace_original_obj[k];
			else
				original_method = method(new_obj._modtrace_original_obj, k);
			end
			if original_method == nil then
				return nil;
			end
			return wrap_method(new_obj._modtrace_original_obj, original_method, k);
		end;
	end
	return function (new_obj, ...)
		return method(new_obj._modtrace_original_obj, ...);
	end;
end

local function wrap_mt(original_mt)
	local new_mt = {};
	for k, v in pairs(original_mt) do
		new_mt[k] = wrap_metamethod(k, v);
	end
	return new_mt;
end

local function wrap_obj(original_obj, opts)
	local new_mt = wrap_mt(getmetatable(original_obj));
	return setmetatable({_modtrace_original_obj = original_obj, _modtrace_opts = opts}, new_mt);
end

local function wrap_new(original_new, function_name, opts)
	local f = opts.output or io.stderr;
	return function (...)
		f:write(stringify_call(function_name, ...));
		local ret = t_pack(original_new(...));
		local obj = ret[1];

		if ret.n == 1 and type(ret[1]) == "table" then
			f:write(" = <", getmetatable(ret[1]).__name or "object", ">", "\n");
		elseif ret.n > 0 then
			f:write(" = ", stringify_result(ret), "\n");
		else
			f:write("\n");
		end

		if obj then
			ret[1] = wrap_obj(obj, opts);
		end
		return unpack(ret, 1, ret.n);
	end;
end

local function trace(module, opts)
	if type(module) == "string" then
		module = require(module);
	end
	opts = opts or {};
	local new_methods = set.new(opts.new_methods or {"new"});
	local fake_module = setmetatable({}, {
		__index = function (_, k)
			if new_methods:contains(k) then
				return wrap_new(module[k], k, opts);
			else
				return wrap_function(module[k], k, opts);
			end
		end;
	});
	return fake_module;
end

return {
	wrap = trace;
	trace = trace;
}