fix(scripting): resolve Medium code-review finding (Core.Scripting-003)
Add System.Threading.Tasks to ForbiddenNamespacePrefixes so scripts cannot use Task.Run / Parallel to spawn background work that outlives the per-evaluation timeout. Document the unbounded-memory accepted trade-off and the Task denial rationale in docs/VirtualTags.md (new "Known resource limits" subsection) and cross-reference from docs/ScriptedAlarms.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
@@ -7,7 +7,7 @@
|
||||
| Review date | 2026-05-22 |
|
||||
| Commit reviewed | `76d35d1` |
|
||||
| Status | Reviewed |
|
||||
| Open findings | 9 |
|
||||
| Open findings | 5 |
|
||||
|
||||
## Checklist coverage
|
||||
|
||||
@@ -112,7 +112,7 @@ node form plus over-block guards for allowed generics/`typeof`.
|
||||
| Severity | Medium |
|
||||
| Category | Security |
|
||||
| Location | `TimedScriptEvaluator.cs:9`, `ScriptSandbox.cs:30` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** There is no bound on memory a script may allocate or on the number of
|
||||
threads/tasks a script may spawn. The class docs acknowledge unbounded memory as "a budget
|
||||
@@ -132,7 +132,7 @@ script authoring behind an Admin permission and treat the test-harness preview a
|
||||
control point, or track an explicit v3 issue for out-of-process execution. Record the
|
||||
decision so it is not silently lost.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-22 — added `System.Threading.Tasks` to `ForbiddenNamespacePrefixes` (blocking `Task.Run` / `Parallel` fan-out); documented the unbounded-memory accepted risk and the `Task` denial rationale in `docs/VirtualTags.md` (new "Known resource limits" subsection) and cross-referenced from `docs/ScriptedAlarms.md`.
|
||||
|
||||
### Core.Scripting-004
|
||||
|
||||
@@ -141,7 +141,7 @@ decision so it is not silently lost.
|
||||
| Severity | Medium |
|
||||
| Category | Correctness & logic bugs |
|
||||
| Location | `DependencyExtractor.cs:73` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** The walker matches tag-access calls purely by spelling — any
|
||||
`InvocationExpressionSyntax` whose member name is `GetTag` or `SetVirtualTag` is treated as
|
||||
@@ -160,7 +160,7 @@ member-access call to a non-ctx `GetTag` is untested and would be misattributed.
|
||||
(matching the `ScriptGlobals<TContext>.ctx` field name). Add a test for
|
||||
`someOtherObject.GetTag("X")` asserting it is ignored.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-22 — `VisitInvocationExpression` now additionally checks that `member.Expression` is an `IdentifierNameSyntax` with `ValueText == "ctx"` before treating the call as a dependency; test `Ignores_member_access_GetTag_on_non_ctx_receiver` added to `DependencyExtractorTests`.
|
||||
|
||||
### Core.Scripting-005
|
||||
|
||||
@@ -215,7 +215,7 @@ evicted.
|
||||
| Severity | Medium |
|
||||
| Category | Error handling & resilience |
|
||||
| Location | `TimedScriptEvaluator.cs:60` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** `RunAsync` wraps the inner run in `Task.Run(...)` and then awaits
|
||||
`WaitAsync(Timeout, ct)`. If the caller-supplied `ct` cancels at roughly the same time the
|
||||
@@ -231,7 +231,7 @@ and throw `OperationCanceledException(ct)` instead of `ScriptTimeoutException` w
|
||||
caller's token is cancelled, so caller cancellation deterministically wins regardless of
|
||||
race ordering.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-22 — in the `catch (TimeoutException)` handler, `ct.IsCancellationRequested` is now checked and `OperationCanceledException(ct)` thrown before `ScriptTimeoutException`, so caller cancellation deterministically wins regardless of race ordering; regression test `Caller_cancellation_wins_even_when_timeout_fires_first` added to `TimedScriptEvaluatorTests`.
|
||||
|
||||
### Core.Scripting-008
|
||||
|
||||
@@ -292,7 +292,7 @@ code.
|
||||
| Severity | Medium |
|
||||
| Category | Testing coverage |
|
||||
| Location | `tests/Core/ZB.MOM.WW.OtOpcUa.Core.Scripting.Tests/ScriptSandboxTests.cs:54` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** The sandbox-escape test suite covers only the four obvious vectors
|
||||
(File / Http / Process / Reflection) as direct member-access calls. It does not test:
|
||||
@@ -309,7 +309,7 @@ surface.
|
||||
Core.Scripting-002 and every forbidden namespace/member in Core.Scripting-001. Each must
|
||||
assert a `ScriptSandboxViolationException` (or `CompilationErrorException`) at compile.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-22 — added `ScriptSandboxTests` cases for `System.Threading.Thread`, `System.Threading.Tasks.Task.Run`, `System.Runtime.InteropServices.Marshal`, and `Microsoft.Win32.Registry` (the four namespace-deny-list vectors that had no test); the 001/002 vectors (Environment.Exit/FailFast/AppDomain/GC/Activator, typeof, generics, cast, default(T), is/as, array element, declared variable) were already covered by the -001/-002 resolution commits. All 79 tests pass.
|
||||
|
||||
### Core.Scripting-011
|
||||
|
||||
|
||||
Reference in New Issue
Block a user