MediaWiki  master
Command.php
Go to the documentation of this file.
1 <?php
21 namespace MediaWiki\Shell;
22 
23 use Exception;
24 use MediaWiki\ProcOpenError;
25 use MediaWiki\ShellDisabledError;
26 use Profiler;
27 use Psr\Log\LoggerInterface;
28 use Psr\Log\NullLogger;
29 use Shellbox\Command\UnboxedCommand;
30 use Shellbox\Command\UnboxedExecutor;
31 use Shellbox\Command\UnboxedResult;
32 use Wikimedia\ScopedCallback;
33 
39 class Command extends UnboxedCommand {
41  private $everExecuted = false;
42 
44  private $method;
45 
47  protected $logger;
48 
55  public function __construct( UnboxedExecutor $executor ) {
56  if ( Shell::isDisabled() ) {
57  throw new ShellDisabledError();
58  }
59  parent::__construct( $executor );
60  $this->setLogger( new NullLogger );
61  }
62 
66  public function __destruct() {
67  if ( !$this->everExecuted ) {
68  $context = [ 'command' => $this->getCommandString() ];
69  $message = __CLASS__ . " was instantiated, but execute() was never called.";
70  if ( $this->method ) {
71  $message .= ' Calling method: {method}.';
72  $context['method'] = $this->method;
73  }
74  $message .= ' Command: {command}';
75  $this->logger->warning( $message, $context );
76  }
77  }
78 
79  public function setLogger( LoggerInterface $logger ) {
80  $this->logger = $logger;
81  if ( $this->executor ) {
82  $this->executor->setLogger( $logger );
83  }
84  }
85 
93  public function limits( array $limits ): Command {
94  if ( !isset( $limits['walltime'] ) && isset( $limits['time'] ) ) {
95  // Emulate the behavior of old wfShellExec() where walltime fell back on time
96  // if the latter was overridden and the former wasn't
97  $limits['walltime'] = $limits['time'];
98  }
99  if ( isset( $limits['filesize'] ) ) {
100  $this->fileSizeLimit( $limits['filesize'] * 1024 );
101  }
102  if ( isset( $limits['memory'] ) ) {
103  $this->memoryLimit( $limits['memory'] * 1024 );
104  }
105  if ( isset( $limits['time'] ) ) {
106  $this->cpuTimeLimit( $limits['time'] );
107  }
108  if ( isset( $limits['walltime'] ) ) {
109  $this->wallTimeLimit( $limits['walltime'] );
110  }
111 
112  return $this;
113  }
114 
121  public function profileMethod( string $method ): Command {
122  $this->method = $method;
123 
124  return $this;
125  }
126 
135  public function input( string $inputString ): Command {
136  return $this->stdin( $inputString );
137  }
138 
147  public function cgroup( $cgroup ): Command {
148  wfDeprecated( __METHOD__, '1.36' );
149  return $this;
150  }
151 
176  public function restrict( int $restrictions ): Command {
177  $this->privateUserNamespace( (bool)( $restrictions & Shell::NO_ROOT ) );
178  $this->firejailDefaultSeccomp( (bool)( $restrictions & Shell::SECCOMP ) );
179  $this->noNewPrivs( (bool)( $restrictions & Shell::SECCOMP ) );
180  $this->privateDev( (bool)( $restrictions & Shell::PRIVATE_DEV ) );
181  $this->disableNetwork( (bool)( $restrictions & Shell::NO_NETWORK ) );
182  if ( $restrictions & Shell::NO_EXECVE ) {
183  $this->disabledSyscalls( [ 'execve' ] );
184  } else {
185  $this->disabledSyscalls( [] );
186  }
187  if ( $restrictions & Shell::NO_LOCALSETTINGS ) {
188  $this->disallowedPaths( [ realpath( MW_CONFIG_FILE ) ] );
189  } else {
190  $this->disallowedPaths( [] );
191  }
192  if ( $restrictions === 0 ) {
193  $this->disableSandbox();
194  }
195 
196  return $this;
197  }
198 
209  public function whitelistPaths( array $paths ): Command {
210  $this->allowedPaths( array_merge( $this->getAllowedPaths(), $paths ) );
211  return $this;
212  }
213 
223  public function execute(): UnboxedResult {
224  $this->everExecuted = true;
225  $profileMethod = $this->method ?: wfGetCaller();
226  $scoped = Profiler::instance()->scopedProfileIn( __FUNCTION__ . '-' . $profileMethod );
227  $result = parent::execute();
228  ScopedCallback::consume( $scoped );
229  return $result;
230  }
231 
239  public function __toString(): string {
240  return "#Command: {$this->getCommandString()}";
241  }
242 }
MediaWiki\Shell\Command\$everExecuted
bool $everExecuted
Definition: Command.php:41
MediaWiki\Shell\Shell\NO_EXECVE
const NO_EXECVE
Deny execve syscall with seccomp.
Definition: Shell.php:84
MediaWiki\Shell\Command\__destruct
__destruct()
Makes sure the programmer didn't forget to execute the command after all.
Definition: Command.php:66
MediaWiki\ProcOpenError
@newable
Definition: ProcOpenError.php:28
Profiler\instance
static instance()
Singleton.
Definition: Profiler.php:69
MediaWiki\Shell\Command
Class used for executing shell commands.
Definition: Command.php:39
MediaWiki\Shell\Command\cgroup
cgroup( $cgroup)
Sets cgroup for this command.
Definition: Command.php:147
MediaWiki\Shell\Command\__construct
__construct(UnboxedExecutor $executor)
Don't call directly, instead use Shell::command()
Definition: Command.php:55
MediaWiki\Shell\Shell\SECCOMP
const SECCOMP
Use seccomp to block dangerous syscalls.
Definition: Shell.php:61
MediaWiki\Shell\Command\limits
limits(array $limits)
Sets execution limits.
Definition: Command.php:93
wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Logs a warning that $function is deprecated.
Definition: GlobalFunctions.php:1034
Profiler
Profiler base class that defines the interface and some shared functionality.
Definition: Profiler.php:36
MediaWiki\Shell\Command\__toString
__toString()
Returns the final command line before environment/limiting, etc are applied.
Definition: Command.php:239
MediaWiki\Shell\Shell\isDisabled
static isDisabled()
Check if this class is effectively disabled via php.ini config.
Definition: Shell.php:138
MediaWiki\Shell\Shell\NO_ROOT
const NO_ROOT
Disallow any root access.
Definition: Shell.php:53
MediaWiki\Shell\Command\profileMethod
profileMethod(string $method)
Sets calling function for profiler.
Definition: Command.php:121
MediaWiki\ShellDisabledError
@newable
Definition: ShellDisabledError.php:29
MediaWiki\Shell
Definition: Command.php:21
MediaWiki\Shell\Command\input
input(string $inputString)
Sends the provided input to the command.
Definition: Command.php:135
MediaWiki\Shell\Command\restrict
restrict(int $restrictions)
Set restrictions for this request, overwriting any previously set restrictions.
Definition: Command.php:176
MediaWiki\Shell\Command\setLogger
setLogger(LoggerInterface $logger)
Definition: Command.php:79
MediaWiki\Shell\Shell\PRIVATE_DEV
const PRIVATE_DEV
Create a private /dev.
Definition: Shell.php:68
MediaWiki\Shell\Shell\NO_NETWORK
const NO_NETWORK
Restrict the request to have no network access.
Definition: Shell.php:76
MediaWiki\Shell\Command\$method
string $method
Definition: Command.php:44
MediaWiki\Shell\Command\$logger
LoggerInterface $logger
Definition: Command.php:47
MediaWiki\$context
IContextSource $context
Definition: MediaWiki.php:39
MediaWiki\Shell\Command\whitelistPaths
whitelistPaths(array $paths)
If called, only the files/directories that are whitelisted will be available to the shell command.
Definition: Command.php:209
MediaWiki\Shell\Shell\NO_LOCALSETTINGS
const NO_LOCALSETTINGS
Deny access to LocalSettings.php (MW_CONFIG_FILE)
Definition: Shell.php:91
MediaWiki\Shell\Command\execute
execute()
Executes command.
Definition: Command.php:223
wfGetCaller
wfGetCaller( $level=2)
Get the name of the function which called this function wfGetCaller( 1 ) is the function with the wfG...
Definition: GlobalFunctions.php:1408