From 3540d676733efaddecf504b30e9a596465bd43f8 Mon Sep 17 00:00:00 2001
From: Stefan Boberg <stefan.boberg@epicgames.com>
Date: Mon, 30 Mar 2026 15:07:08 +0200
Subject: Request validation and resilience improvements (#864)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### Security: Input validation & path safety
- **Reject local file references by default** in package parsing — only allow when explicitly opted in by the service (`ParseFlags::kAllowLocalReferences`) and validated by an `ILocalRefPolicy` (fail-closed: no policy = rejected)
- **`DataRootLocalRefPolicy`** restricts local ref paths to the server's data root via canonical path prefix matching
- **Validate attachment hashes** in compute HTTP handlers — decompresses and re-hashes each attachment at ingestion time to reject tampered payloads
- **Path traversal validation** for worker descriptions (`pathvalidation.h`) — rejects absolute paths, `..` components, Windows reserved device names, and invalid filename characters
- **Harden CbPackage parsing** against corrupt inputs — overflow-safe attachment count, bounds checks on local ref offset/size, graceful failure instead of `ZEN_ASSERT` for untrusted data
- **Harden legacy package parser** — reject zero-size binary fields, missing mappers, and optionally validate resolved attachment hashes
- **Bounds check in `CbPackageReader::MarshalLocalChunkReference`** — detect when `MakeFromFile` silently clamps offset+size to file size

### Reliability: Lock consolidation & bug fixes
- **Consolidate three action map locks into one** (`m_ActionMapLock`) — eliminates deadlock risk from multi-lock ordering, simplifies state transitions, and fixes a race where newly enqueued actions were briefly invisible to `GetActionResult`/`FindActionResult`
- **Fix infinite loop in `BaseRunnerGroup::SubmitActions`** when actions exceed total runner capacity — cap round-robin at `TotalCapacity` and default unassigned results to "No capacity"
- **Fix `MakeSafeAbsolutePathInPlace` for UNC paths** — `\server\share` now correctly becomes `\?\UNC\server\share` instead of `\?\server\share`
- **Fix `max_retries=0`** — previously fell through to the default of 3; now correctly means "no retries"

### New: ManagedProcessRunner
- Cross-platform process runner backed by `SubprocessManager` — uses async exit callbacks instead of polling, delegates CPU/memory metrics to the manager's built-in sampler
- `ProcessGroup` (JobObject on Windows, process group on POSIX) for bulk cancellation on shutdown
- `--managed` flag on `zen exec inproc` to select this runner
- Refactored monitor thread lifecycle — `StartMonitorThread()` now called from derived constructors to avoid calling virtual functions from base constructor

### Process management
- **Suppress crash dialogs** via `JOB_OBJECT_UILIMIT_ERRORMODE` + `SEM_NOGPFAULTERRORBOX` in both `WindowsProcessRunner` and `JobObject::Initialize` — prevents WER/Dr. Watson modal dialogs from blocking the monitor thread
- **CREATE_SUSPENDED → AssignProcessToJobObject → ResumeThread** pattern in `WindowsProcessRunner` — ensures job object assignment before process execution
- **Move stdout/stderr callbacks to `Spawn()` parameters** in `SubprocessManager` — prevents race where early output could be missed before callback installation
- Consistent PID logging across all runner types

### Test infrastructure
- **`zentest-appstub`**: Added `Fail` (configurable exit code) and `Crash` (abort / nullptr deref) test functions
- **Compute integration tests**: exit code handling, auto-retry exhaustion, manual reschedule after failure, mixed success/failure queues, crash handling (abort + nullptr), crash auto-retry, immediate query visibility after enqueue
- **Package format tests**: truncated header, bad magic, attachment count overflow, truncated data, local ref rejection/acceptance, policy enforcement (inside/outside root, traversal, no-policy fail-closed)
- **Legacy package parser tests**: empty input, zero-size binary, hash resolution with/without mapper, hash mismatch detection
- **UNC path tests** for `MakeSafeAbsolutePath`

### Misc
- ANSI color helper macros (`ZEN_RED`, `ZEN_BRIGHT_WHITE`, etc.) and `ZEN_BOLD`/`ZEN_DIM`/etc.
- Generic `fmt::formatter` for types with free `ToString` functions
- Compute dashboard: truncated hash display with monospace font and hover for full value
- Renamed `usonpackage_forcelink` → `cbpackage_forcelink`
- Compute enabled by default in xmake config (releases still explicitly disable)
---
 src/zencompute/pathvalidation.h | 118 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 src/zencompute/pathvalidation.h

(limited to 'src/zencompute/pathvalidation.h')

diff --git a/src/zencompute/pathvalidation.h b/src/zencompute/pathvalidation.h
new file mode 100644
index 000000000..c2e30183a
--- /dev/null
+++ b/src/zencompute/pathvalidation.h
@@ -0,0 +1,118 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#pragma once
+
+#include <zencore/compactbinary.h>
+#include <zencore/except_fmt.h>
+#include <zencore/string.h>
+
+#include <filesystem>
+#include <string_view>
+
+namespace zen::compute {
+
+// Validate that a single path component contains only characters that are valid
+// file/directory names on all supported platforms. Uses Windows rules as the most
+// restrictive superset, since packages may be built on one platform and consumed
+// on another.
+inline void
+ValidatePathComponent(std::string_view Component, std::string_view FullPath)
+{
+	// Reject control characters (0x00-0x1F) and characters forbidden on Windows
+	for (char Ch : Component)
+	{
+		if (static_cast<unsigned char>(Ch) < 0x20 || Ch == '<' || Ch == '>' || Ch == ':' || Ch == '"' || Ch == '|' || Ch == '?' ||
+			Ch == '*')
+		{
+			throw zen::invalid_argument("invalid character in path component '{}' of '{}'", Component, FullPath);
+		}
+	}
+
+	// Reject empty components and trailing dots or spaces (silently stripped on Windows, leading to confusion)
+	if (Component.empty() || Component.back() == '.' || Component.back() == ' ')
+	{
+		throw zen::invalid_argument("path component '{}' of '{}' has trailing dot or space", Component, FullPath);
+	}
+
+	// Reject Windows reserved device names (CON, PRN, AUX, NUL, COM1-9, LPT1-9)
+	// These are reserved with or without an extension (e.g. "CON.txt" is still reserved).
+	std::string_view Stem = Component.substr(0, Component.find('.'));
+
+	static constexpr std::string_view ReservedNames[] = {
+		"CON",	"PRN",	"AUX",	"NUL",	"COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7",
+		"COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", "LPT9",
+	};
+
+	for (std::string_view Reserved : ReservedNames)
+	{
+		if (zen::StrCaseCompare(Stem, Reserved) == 0)
+		{
+			throw zen::invalid_argument("path component '{}' of '{}' uses reserved device name '{}'", Component, FullPath, Reserved);
+		}
+	}
+}
+
+// Validate that a path extracted from a package is a safe relative path.
+// Rejects absolute paths, ".." components, and invalid platform filenames.
+inline void
+ValidateSandboxRelativePath(std::string_view Name)
+{
+	if (Name.empty())
+	{
+		throw zen::invalid_argument("path traversal detected: empty path name");
+	}
+
+	std::filesystem::path Parsed(Name);
+
+	if (Parsed.is_absolute())
+	{
+		throw zen::invalid_argument("path traversal detected: '{}' is an absolute path", Name);
+	}
+
+	for (const auto& Component : Parsed)
+	{
+		std::string ComponentStr = Component.string();
+
+		if (ComponentStr == "..")
+		{
+			throw zen::invalid_argument("path traversal detected: '{}' contains '..' component", Name);
+		}
+
+		// Skip "." (current directory) — harmless in relative paths
+		if (ComponentStr != ".")
+		{
+			ValidatePathComponent(ComponentStr, Name);
+		}
+	}
+}
+
+// Validate all path entries in a worker description CbObject.
+// Checks path, executables[].name, dirs[], and files[].name fields.
+// Throws an exception if any invalid paths are found.
+inline void
+ValidateWorkerDescriptionPaths(const CbObject& WorkerDescription)
+{
+	using namespace std::literals;
+
+	if (auto PathField = WorkerDescription["path"sv]; PathField.HasValue())
+	{
+		ValidateSandboxRelativePath(PathField.AsString());
+	}
+
+	for (auto& It : WorkerDescription["executables"sv])
+	{
+		ValidateSandboxRelativePath(It.AsObjectView()["name"sv].AsString());
+	}
+
+	for (auto& It : WorkerDescription["dirs"sv])
+	{
+		ValidateSandboxRelativePath(It.AsString());
+	}
+
+	for (auto& It : WorkerDescription["files"sv])
+	{
+		ValidateSandboxRelativePath(It.AsObjectView()["name"sv].AsString());
+	}
+}
+
+}  // namespace zen::compute
-- 
cgit v1.2.3