From 3540d676733efaddecf504b30e9a596465bd43f8 Mon Sep 17 00:00:00 2001
From: Stefan Boberg <stefan.boberg@epicgames.com>
Date: Mon, 30 Mar 2026 15:07:08 +0200
Subject: Request validation and resilience improvements (#864)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### Security: Input validation & path safety
- **Reject local file references by default** in package parsing — only allow when explicitly opted in by the service (`ParseFlags::kAllowLocalReferences`) and validated by an `ILocalRefPolicy` (fail-closed: no policy = rejected)
- **`DataRootLocalRefPolicy`** restricts local ref paths to the server's data root via canonical path prefix matching
- **Validate attachment hashes** in compute HTTP handlers — decompresses and re-hashes each attachment at ingestion time to reject tampered payloads
- **Path traversal validation** for worker descriptions (`pathvalidation.h`) — rejects absolute paths, `..` components, Windows reserved device names, and invalid filename characters
- **Harden CbPackage parsing** against corrupt inputs — overflow-safe attachment count, bounds checks on local ref offset/size, graceful failure instead of `ZEN_ASSERT` for untrusted data
- **Harden legacy package parser** — reject zero-size binary fields, missing mappers, and optionally validate resolved attachment hashes
- **Bounds check in `CbPackageReader::MarshalLocalChunkReference`** — detect when `MakeFromFile` silently clamps offset+size to file size

### Reliability: Lock consolidation & bug fixes
- **Consolidate three action map locks into one** (`m_ActionMapLock`) — eliminates deadlock risk from multi-lock ordering, simplifies state transitions, and fixes a race where newly enqueued actions were briefly invisible to `GetActionResult`/`FindActionResult`
- **Fix infinite loop in `BaseRunnerGroup::SubmitActions`** when actions exceed total runner capacity — cap round-robin at `TotalCapacity` and default unassigned results to "No capacity"
- **Fix `MakeSafeAbsolutePathInPlace` for UNC paths** — `\server\share` now correctly becomes `\?\UNC\server\share` instead of `\?\server\share`
- **Fix `max_retries=0`** — previously fell through to the default of 3; now correctly means "no retries"

### New: ManagedProcessRunner
- Cross-platform process runner backed by `SubprocessManager` — uses async exit callbacks instead of polling, delegates CPU/memory metrics to the manager's built-in sampler
- `ProcessGroup` (JobObject on Windows, process group on POSIX) for bulk cancellation on shutdown
- `--managed` flag on `zen exec inproc` to select this runner
- Refactored monitor thread lifecycle — `StartMonitorThread()` now called from derived constructors to avoid calling virtual functions from base constructor

### Process management
- **Suppress crash dialogs** via `JOB_OBJECT_UILIMIT_ERRORMODE` + `SEM_NOGPFAULTERRORBOX` in both `WindowsProcessRunner` and `JobObject::Initialize` — prevents WER/Dr. Watson modal dialogs from blocking the monitor thread
- **CREATE_SUSPENDED → AssignProcessToJobObject → ResumeThread** pattern in `WindowsProcessRunner` — ensures job object assignment before process execution
- **Move stdout/stderr callbacks to `Spawn()` parameters** in `SubprocessManager` — prevents race where early output could be missed before callback installation
- Consistent PID logging across all runner types

### Test infrastructure
- **`zentest-appstub`**: Added `Fail` (configurable exit code) and `Crash` (abort / nullptr deref) test functions
- **Compute integration tests**: exit code handling, auto-retry exhaustion, manual reschedule after failure, mixed success/failure queues, crash handling (abort + nullptr), crash auto-retry, immediate query visibility after enqueue
- **Package format tests**: truncated header, bad magic, attachment count overflow, truncated data, local ref rejection/acceptance, policy enforcement (inside/outside root, traversal, no-policy fail-closed)
- **Legacy package parser tests**: empty input, zero-size binary, hash resolution with/without mapper, hash mismatch detection
- **UNC path tests** for `MakeSafeAbsolutePath`

### Misc
- ANSI color helper macros (`ZEN_RED`, `ZEN_BRIGHT_WHITE`, etc.) and `ZEN_BOLD`/`ZEN_DIM`/etc.
- Generic `fmt::formatter` for types with free `ToString` functions
- Compute dashboard: truncated hash display with monospace font and hover for full value
- Renamed `usonpackage_forcelink` → `cbpackage_forcelink`
- Compute enabled by default in xmake config (releases still explicitly disable)
---
 src/zencompute/runners/windowsrunner.cpp | 99 +++++++++++++++++++++++---------
 1 file changed, 73 insertions(+), 26 deletions(-)

(limited to 'src/zencompute/runners/windowsrunner.cpp')

diff --git a/src/zencompute/runners/windowsrunner.cpp b/src/zencompute/runners/windowsrunner.cpp
index cd4b646e9..92ee65c2d 100644
--- a/src/zencompute/runners/windowsrunner.cpp
+++ b/src/zencompute/runners/windowsrunner.cpp
@@ -21,6 +21,12 @@ ZEN_THIRD_PARTY_INCLUDES_START
 #	include <sddl.h>
 ZEN_THIRD_PARTY_INCLUDES_END
 
+// JOB_OBJECT_UILIMIT_ERRORMODE is defined in winuser.h which may be
+// excluded by WIN32_LEAN_AND_MEAN.
+#	if !defined(JOB_OBJECT_UILIMIT_ERRORMODE)
+#		define JOB_OBJECT_UILIMIT_ERRORMODE 0x00000400
+#	endif
+
 namespace zen::compute {
 
 using namespace std::literals;
@@ -34,38 +40,65 @@ WindowsProcessRunner::WindowsProcessRunner(ChunkResolver&				Resolver,
 : LocalProcessRunner(Resolver, BaseDir, Deleter, WorkerPool, MaxConcurrentActions)
 , m_Sandboxed(Sandboxed)
 {
-	if (!m_Sandboxed)
+	// Create a job object shared by all child processes. Restricting the
+	// error-mode UI prevents crash dialogs (WER / Dr. Watson) from
+	// blocking the monitor thread when a worker process terminates
+	// abnormally.
+	m_JobObject = CreateJobObjectW(nullptr, nullptr);
+	if (m_JobObject)
 	{
-		return;
+		JOBOBJECT_EXTENDED_LIMIT_INFORMATION ExtLimits{};
+		ExtLimits.BasicLimitInformation.LimitFlags = JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE | JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION;
+		SetInformationJobObject(m_JobObject, JobObjectExtendedLimitInformation, &ExtLimits, sizeof(ExtLimits));
+
+		JOBOBJECT_BASIC_UI_RESTRICTIONS UiRestrictions{};
+		UiRestrictions.UIRestrictionsClass = JOB_OBJECT_UILIMIT_ERRORMODE;
+		SetInformationJobObject(m_JobObject, JobObjectBasicUIRestrictions, &UiRestrictions, sizeof(UiRestrictions));
+
+		// Set error mode on this process so children inherit it. The
+		// UILIMIT_ERRORMODE restriction above prevents them from clearing
+		// SEM_NOGPFAULTERRORBOX.
+		SetErrorMode(SEM_FAILCRITICALERRORS | SEM_NOGPFAULTERRORBOX);
 	}
 
-	// Build a unique profile name per process to avoid collisions
-	m_AppContainerName = L"zenserver-sandbox-" + std::to_wstring(GetCurrentProcessId());
+	if (m_Sandboxed)
+	{
+		// Build a unique profile name per process to avoid collisions
+		m_AppContainerName = L"zenserver-sandbox-" + std::to_wstring(GetCurrentProcessId());
 
-	// Clean up any stale profile from a previous crash
-	DeleteAppContainerProfile(m_AppContainerName.c_str());
+		// Clean up any stale profile from a previous crash
+		DeleteAppContainerProfile(m_AppContainerName.c_str());
 
-	PSID Sid = nullptr;
+		PSID Sid = nullptr;
 
-	HRESULT Hr = CreateAppContainerProfile(m_AppContainerName.c_str(),
-										   m_AppContainerName.c_str(),	// display name
-										   m_AppContainerName.c_str(),	// description
-										   nullptr,						// no capabilities
-										   0,							// capability count
-										   &Sid);
+		HRESULT Hr = CreateAppContainerProfile(m_AppContainerName.c_str(),
+											   m_AppContainerName.c_str(),	// display name
+											   m_AppContainerName.c_str(),	// description
+											   nullptr,						// no capabilities
+											   0,							// capability count
+											   &Sid);
 
-	if (FAILED(Hr))
-	{
-		throw zen::runtime_error("CreateAppContainerProfile failed: HRESULT 0x{:08X}", static_cast<uint32_t>(Hr));
-	}
+		if (FAILED(Hr))
+		{
+			throw zen::runtime_error("CreateAppContainerProfile failed: HRESULT 0x{:08X}", static_cast<uint32_t>(Hr));
+		}
 
-	m_AppContainerSid = Sid;
+		m_AppContainerSid = Sid;
+
+		ZEN_INFO("AppContainer sandboxing enabled for child processes (profile={})", WideToUtf8(m_AppContainerName));
+	}
 
-	ZEN_INFO("AppContainer sandboxing enabled for child processes (profile={})", WideToUtf8(m_AppContainerName));
+	StartMonitorThread();
 }
 
 WindowsProcessRunner::~WindowsProcessRunner()
 {
+	if (m_JobObject)
+	{
+		CloseHandle(m_JobObject);
+		m_JobObject = nullptr;
+	}
+
 	if (m_AppContainerSid)
 	{
 		FreeSid(m_AppContainerSid);
@@ -172,9 +205,9 @@ WindowsProcessRunner::SubmitAction(Ref<RunnerAction> Action)
 	LPSECURITY_ATTRIBUTES lpProcessAttributes = nullptr;
 	LPSECURITY_ATTRIBUTES lpThreadAttributes  = nullptr;
 	BOOL				  bInheritHandles	  = FALSE;
-	DWORD				  dwCreationFlags	  = DETACHED_PROCESS;
+	DWORD				  dwCreationFlags	  = CREATE_SUSPENDED | DETACHED_PROCESS;
 
-	ZEN_DEBUG("Executing: {} (sandboxed={})", WideToUtf8(CommandLine.c_str()), m_Sandboxed);
+	ZEN_DEBUG("{}: '{}' (sandbox='{}')", m_Sandboxed ? "Sandboxing" : "Executing", WideToUtf8(CommandLine.c_str()), Prepared->SandboxPath);
 
 	CommandLine.EnsureNulTerminated();
 
@@ -260,14 +293,21 @@ WindowsProcessRunner::SubmitAction(Ref<RunnerAction> Action)
 		}
 	}
 
-	CloseHandle(ProcessInformation.hThread);
+	if (m_JobObject)
+	{
+		AssignProcessToJobObject(m_JobObject, ProcessInformation.hProcess);
+	}
 
-	Ref<RunningAction> NewAction{new RunningAction()};
-	NewAction->Action		 = Action;
-	NewAction->ProcessHandle = ProcessInformation.hProcess;
-	NewAction->SandboxPath	 = std::move(Prepared->SandboxPath);
+	ResumeThread(ProcessInformation.hThread);
+	CloseHandle(ProcessInformation.hThread);
 
 	{
+		Ref<RunningAction> NewAction{new RunningAction()};
+		NewAction->Action		 = Action;
+		NewAction->ProcessHandle = ProcessInformation.hProcess;
+		NewAction->Pid			 = ProcessInformation.dwProcessId;
+		NewAction->SandboxPath	 = std::move(Prepared->SandboxPath);
+
 		RwLock::ExclusiveLockScope _(m_RunningLock);
 
 		m_RunningMap[Prepared->ActionLsn] = std::move(NewAction);
@@ -275,6 +315,8 @@ WindowsProcessRunner::SubmitAction(Ref<RunnerAction> Action)
 
 	Action->SetActionState(RunnerAction::State::Running);
 
+	ZEN_DEBUG("Local runner: action LSN {} -> PID {}", Action->ActionLsn, ProcessInformation.dwProcessId);
+
 	return SubmitResult{.IsAccepted = true};
 }
 
@@ -294,6 +336,11 @@ WindowsProcessRunner::SweepRunningActions()
 
 			if (IsSuccess && ExitCode != STILL_ACTIVE)
 			{
+				ZEN_DEBUG("Local runner: action LSN {} + PID {} exited with code " ZEN_BRIGHT_WHITE("{}"),
+						  Running->Action->ActionLsn,
+						  Running->Pid,
+						  ExitCode);
+
 				CloseHandle(Running->ProcessHandle);
 				Running->ProcessHandle = INVALID_HANDLE_VALUE;
 				Running->ExitCode	   = ExitCode;
-- 
cgit v1.2.3