Start work on sandboxing fastly-world (#586)

elliottt · web-flow · commit ca1c44c9b163 · 2023-07-13T19:39:52.000+01:00
diff --git a/runtime/js-compute-runtime/builtins/client-info.cpp b/runtime/js-compute-runtime/builtins/client-info.cpp
@@ -1,6 +1,7 @@
 #include "builtins/client-info.h"
 #include "core/geo_ip.h"
 #include "host_interface/host_api.h"
+#include "host_interface/host_call.h"
 #include "openssl/evp.h"
 
 #include "js/JSON.h"
diff --git a/runtime/js-compute-runtime/builtins/config-store.cpp b/runtime/js-compute-runtime/builtins/config-store.cpp
@@ -5,7 +5,7 @@ namespace builtins {
 
 Dict ConfigStore::config_store_handle(JSObject *obj) {
   JS::Value val = JS::GetReservedSlot(obj, ConfigStore::Slots::Handle);
-  return Dict{static_cast<fastly_compute_at_edge_fastly_dictionary_handle_t>(val.toInt32())};
+  return Dict(val.toInt32());
 }
 
 bool ConfigStore::get(JSContext *cx, unsigned argc, JS::Value *vp) {
diff --git a/runtime/js-compute-runtime/builtins/dictionary.cpp b/runtime/js-compute-runtime/builtins/dictionary.cpp
@@ -5,7 +5,7 @@ namespace builtins {
 
 Dict Dictionary::dictionary_handle(JSObject *obj) {
   JS::Value val = JS::GetReservedSlot(obj, Dictionary::Slots::Handle);
-  return Dict{static_cast<fastly_compute_at_edge_fastly_dictionary_handle_t>(val.toInt32())};
+  return Dict(val.toInt32());
 }
 
 bool Dictionary::get(JSContext *cx, unsigned argc, JS::Value *vp) {
diff --git a/runtime/js-compute-runtime/builtins/headers.cpp b/runtime/js-compute-runtime/builtins/headers.cpp
@@ -73,7 +73,7 @@ bool lazy_values(JSObject *self) {
       .toBoolean();
 }
 
-fastly_compute_at_edge_fastly_request_handle_t get_handle(JSObject *self) {
+uint32_t get_handle(JSObject *self) {
   MOZ_ASSERT(Headers::is_instance(self));
   return static_cast<uint32_t>(
       JS::GetReservedSlot(self, static_cast<uint32_t>(Headers::Slots::Handle)).toInt32());
@@ -197,9 +197,7 @@ JS::UniqueChars normalize_header_value(JSContext *cx, JS::MutableHandleValue val
   return value;
 }
 
-namespace {
 JS::PersistentRooted<JSString *> comma;
-}
 
 // Append an already normalized value for an already normalized header name
 // to the JS side map, but not the host.
diff --git a/runtime/js-compute-runtime/builtins/kv-store.cpp b/runtime/js-compute-runtime/builtins/kv-store.cpp
@@ -116,8 +116,7 @@ namespace {
 
 ObjectStore kv_store_handle(JSObject *obj) {
   JS::Value val = JS::GetReservedSlot(obj, static_cast<uint32_t>(KVStore::Slots::KVStore));
-  return ObjectStore(
-      static_cast<fastly_compute_at_edge_fastly_object_store_handle_t>(val.toInt32()));
+  return ObjectStore(val.toInt32());
 }
 
 bool parse_and_validate_key(JSContext *cx, const char *key, size_t len) {
diff --git a/runtime/js-compute-runtime/builtins/request-response.cpp b/runtime/js-compute-runtime/builtins/request-response.cpp
@@ -740,9 +740,8 @@ bool RequestOrResponse::bodyAll(JSContext *cx, JS::CallArgs args, JS::HandleObje
 
   JS::RootedValue body_parser(cx, JS::PrivateValue((void *)parse_body<result_type>));
 
-  // If the body is a ReadableStream that's not backed by a
-  // fastly_compute_at_edge_fastly_body_handle_t, we need to manually read all chunks from the
-  // stream.
+  // If the body is a ReadableStream that's not backed by a body handle, we need to
+  // manually read all chunks from the stream.
   // TODO(performance): ensure that we're properly shortcutting reads from TransformStream
   // readables.
   // https://github.com/fastly/js-compute-runtime/issues/218
diff --git a/runtime/js-compute-runtime/builtins/secret-store.cpp b/runtime/js-compute-runtime/builtins/secret-store.cpp
@@ -5,8 +5,7 @@ namespace builtins {
 
 host_api::Secret SecretStoreEntry::secret_handle(JSObject *obj) {
   JS::Value val = JS::GetReservedSlot(obj, SecretStoreEntry::Slots::Handle);
-  return host_api::Secret{
-      static_cast<fastly_compute_at_edge_fastly_secret_handle_t>(val.toInt32())};
+  return host_api::Secret(val.toInt32());
 }
 
 bool SecretStoreEntry::plaintext(JSContext *cx, unsigned argc, JS::Value *vp) {
@@ -69,8 +68,7 @@ bool SecretStoreEntry::init_class(JSContext *cx, JS::HandleObject global) {
 
 host_api::SecretStore SecretStore::secret_store_handle(JSObject *obj) {
   JS::Value val = JS::GetReservedSlot(obj, SecretStore::Slots::Handle);
-  return host_api::SecretStore{
-      static_cast<fastly_compute_at_edge_fastly_secret_store_handle_t>(val.toInt32())};
+  return host_api::SecretStore(val.toInt32());
 }
 
 bool SecretStore::get(JSContext *cx, unsigned argc, JS::Value *vp) {
diff --git a/runtime/js-compute-runtime/host_interface/host_call.cpp b/runtime/js-compute-runtime/host_interface/host_call.cpp
@@ -1,24 +1,100 @@
 
+#include <type_traits>
+
+#include "host_interface/fastly.h"
 #include "host_interface/host_call.h"
 
-bool OwnedHostCallBuffer::initialize(JSContext *cx) {
-  // Ensure the buffer is all zeros so it doesn't add too much to the
-  // snapshot.
-  hostcall_buffer = (char *)js_calloc(HOSTCALL_BUFFER_LEN);
-  return !!hostcall_buffer;
-}
+// Ensure that our type synonyms match what's generated by wit-bindgen.
+static_assert(std::is_same_v<FastlyError, fastly_compute_at_edge_fastly_error_t>);
 
-OwnedHostCallBuffer::OwnedHostCallBuffer() {
-  MOZ_RELEASE_ASSERT(hostcall_buffer != nullptr);
-  borrowed_buffer = hostcall_buffer;
-  hostcall_buffer = nullptr;
-}
+/* Returns false if an exception is set on `cx` and the caller should
+   immediately return to propagate the exception. */
+void handle_fastly_error(JSContext *cx, FastlyError err, int line, const char *func) {
+  switch (err) {
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_GENERIC_ERROR:
+    JS_ReportErrorUTF8(cx,
+                       "%s: Generic error value. This means that some unexpected error "
+                       "occurred during a hostcall.\n",
+                       func);
 
-char *OwnedHostCallBuffer::get() { return borrowed_buffer; }
-
-OwnedHostCallBuffer::~OwnedHostCallBuffer() {
-  // TODO: consider adding a build config that makes this zero the buffer.
-  hostcall_buffer = borrowed_buffer;
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_INVALID_ARGUMENT:
+    JS_ReportErrorUTF8(cx, "%s: Invalid argument.\n", func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_BAD_HANDLE:
+    JS_ReportErrorUTF8(cx,
+                       "%s: Invalid handle. Thrown when a request, response, dictionary, or "
+                       "body handle is not valid.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_BUFFER_LEN:
+    JS_ReportErrorUTF8(cx, "%s: Buffer length error. Buffer is too long.\n", func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_UNSUPPORTED:
+    JS_ReportErrorUTF8(cx,
+                       "%s: Unsupported operation error. This error is thrown "
+                       "when some operation cannot be performed, because it is "
+                       "not supported.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_BAD_ALIGN:
+    JS_ReportErrorUTF8(cx,
+                       "%s: Alignment error. This is thrown when a pointer does not point to "
+                       "a properly aligned slice of memory.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_INVALID:
+    JS_ReportErrorUTF8(cx,
+                       "%s: HTTP parse error. This can be thrown when a method, URI, header, "
+                       "or status is not valid. This can also be thrown if a message head is "
+                       "too large.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_USER:
+    JS_ReportErrorUTF8(cx,
+                       "%s: HTTP user error. This is thrown in cases where user code caused "
+                       "an HTTP error. For example, attempt to send a 1xx response code, or a "
+                       "request with a non-absolute URI. This can also be caused by an "
+                       "unexpected header: both `content-length` and `transfer-encoding`, for "
+                       "example.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_INCOMPLETE:
+    JS_ReportErrorUTF8(cx,
+                       "%s: HTTP incomplete message error. A stream ended "
+                       "unexpectedly.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_OPTIONAL_NONE:
+    JS_ReportErrorUTF8(cx,
+                       "%s: A `None` error. This status code is used to "
+                       "indicate when an optional value did not exist, as "
+                       "opposed to an empty value.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_HEAD_TOO_LARGE:
+    JS_ReportErrorUTF8(cx,
+                       "%s: HTTP head too large error. This error will be thrown when the "
+                       "message head is too large.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_INVALID_STATUS:
+    JS_ReportErrorUTF8(cx,
+                       "%s: HTTP invalid status error. This error will be "
+                       "thrown when the HTTP message contains an invalid "
+                       "status code.\n",
+                       func);
+    break;
+  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_LIMIT_EXCEEDED:
+    JS_ReportErrorUTF8(cx,
+                       "%s: Limit exceeded error. This error will be thrown when an attempt"
+                       "to allocate a resource has exceeded the maximum number of resources"
+                       "permitted. For example, creating too many response handles."
+                       "\n",
+                       func);
+    break;
+  default:
+    fprintf(stdout, __FILE__ ":%d (%s)\n", line, func);
+    JS_ReportErrorUTF8(cx, "Fastly error code %d", err);
+  }
 }
-
-char *OwnedHostCallBuffer::hostcall_buffer;
diff --git a/runtime/js-compute-runtime/host_interface/host_call.h b/runtime/js-compute-runtime/host_interface/host_call.h
@@ -1,123 +1,21 @@
 #ifndef JS_COMPUTE_RUNTIME_HOST_CALL_H
 #define JS_COMPUTE_RUNTIME_HOST_CALL_H
 
+#include <cstdint>
+
 // TODO: remove these once the warnings are fixed
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Winvalid-offsetof"
 #pragma clang diagnostic ignored "-Wdeprecated-enum-enum-conversion"
 #include "jsapi.h"
 #pragma clang diagnostic pop
 
-#include "host_interface/fastly.h"
-
-/* Returns false if an exception is set on `cx` and the caller should
-   immediately return to propagate the exception. */
-static inline void handle_fastly_error(JSContext *cx, fastly_compute_at_edge_fastly_error_t err,
-                                       int line, const char *func) {
-  switch (err) {
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_GENERIC_ERROR:
-    JS_ReportErrorUTF8(cx,
-                       "%s: Generic error value. This means that some unexpected error "
-                       "occurred during a hostcall.\n",
-                       func);
+using FastlyError = uint8_t;
 
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_INVALID_ARGUMENT:
-    JS_ReportErrorUTF8(cx, "%s: Invalid argument.\n", func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_BAD_HANDLE:
-    JS_ReportErrorUTF8(cx,
-                       "%s: Invalid handle. Thrown when a request, response, dictionary, or "
-                       "body handle is not valid.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_BUFFER_LEN:
-    JS_ReportErrorUTF8(cx, "%s: Buffer length error. Buffer is too long.\n", func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_UNSUPPORTED:
-    JS_ReportErrorUTF8(cx,
-                       "%s: Unsupported operation error. This error is thrown "
-                       "when some operation cannot be performed, because it is "
-                       "not supported.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_BAD_ALIGN:
-    JS_ReportErrorUTF8(cx,
-                       "%s: Alignment error. This is thrown when a pointer does not point to "
-                       "a properly aligned slice of memory.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_INVALID:
-    JS_ReportErrorUTF8(cx,
-                       "%s: HTTP parse error. This can be thrown when a method, URI, header, "
-                       "or status is not valid. This can also be thrown if a message head is "
-                       "too large.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_USER:
-    JS_ReportErrorUTF8(cx,
-                       "%s: HTTP user error. This is thrown in cases where user code caused "
-                       "an HTTP error. For example, attempt to send a 1xx response code, or a "
-                       "request with a non-absolute URI. This can also be caused by an "
-                       "unexpected header: both `content-length` and `transfer-encoding`, for "
-                       "example.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_INCOMPLETE:
-    JS_ReportErrorUTF8(cx,
-                       "%s: HTTP incomplete message error. A stream ended "
-                       "unexpectedly.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_OPTIONAL_NONE:
-    JS_ReportErrorUTF8(cx,
-                       "%s: A `None` error. This status code is used to "
-                       "indicate when an optional value did not exist, as "
-                       "opposed to an empty value.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_HEAD_TOO_LARGE:
-    JS_ReportErrorUTF8(cx,
-                       "%s: HTTP head too large error. This error will be thrown when the "
-                       "message head is too large.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_HTTP_INVALID_STATUS:
-    JS_ReportErrorUTF8(cx,
-                       "%s: HTTP invalid status error. This error will be "
-                       "thrown when the HTTP message contains an invalid "
-                       "status code.\n",
-                       func);
-    break;
-  case FASTLY_COMPUTE_AT_EDGE_FASTLY_ERROR_LIMIT_EXCEEDED:
-    JS_ReportErrorUTF8(cx,
-                       "%s: Limit exceeded error. This error will be thrown when an attempt"
-                       "to allocate a resource has exceeded the maximum number of resources"
-                       "permitted. For example, creating too many response handles."
-                       "\n",
-                       func);
-    break;
-  default:
-    fprintf(stdout, __FILE__ ":%d (%s)\n", line, func);
-    JS_ReportErrorUTF8(cx, "Fastly error code %d", err);
-  }
-}
+void handle_fastly_error(JSContext *cx, FastlyError err, int line, const char *func);
 
 #define HANDLE_ERROR(cx, err) handle_fastly_error(cx, err, __LINE__, __func__)
 
 #define HOSTCALL_BUFFER_LEN HEADER_MAX_LEN
 
-class OwnedHostCallBuffer {
-  static char *hostcall_buffer;
-  char *borrowed_buffer;
-
-public:
-  static bool initialize(JSContext *cx);
-
-  OwnedHostCallBuffer();
-  ~OwnedHostCallBuffer();
-
-  char *get();
-};
-
 #endif
diff --git a/runtime/js-compute-runtime/js-compute-builtins.cpp b/runtime/js-compute-runtime/js-compute-builtins.cpp
@@ -1275,12 +1275,6 @@ bool math_random(JSContext *cx, unsigned argc, Value *vp) {
 }
 
 bool define_fastly_sys(JSContext *cx, HandleObject global, FastlyOptions options) {
-  // Allocating the reusable hostcall buffer here means it's baked into the
-  // snapshot, and since it's all zeros, it won't increase the size of the
-  // snapshot.
-  if (!OwnedHostCallBuffer::initialize(cx))
-    return false;
-
   if (!GlobalProperties::init(cx, global))
     return false;
 

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ namespace builtins {`
`5`	`5`
`6`	`6`	`Dict ConfigStore::config_store_handle(JSObject *obj) {`
`7`	`7`	`JS::Value val = JS::GetReservedSlot(obj, ConfigStore::Slots::Handle);`
`8`		`- return Dict{static_cast<fastly_compute_at_edge_fastly_dictionary_handle_t>(val.toInt32())};`
	`8`	`+ return Dict(val.toInt32());`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`bool ConfigStore::get(JSContext cx, unsigned argc, JS::Value vp) {`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ namespace builtins {`
`5`	`5`
`6`	`6`	`Dict Dictionary::dictionary_handle(JSObject *obj) {`
`7`	`7`	`JS::Value val = JS::GetReservedSlot(obj, Dictionary::Slots::Handle);`
`8`		`- return Dict{static_cast<fastly_compute_at_edge_fastly_dictionary_handle_t>(val.toInt32())};`
	`8`	`+ return Dict(val.toInt32());`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`bool Dictionary::get(JSContext cx, unsigned argc, JS::Value vp) {`
Original file line number	Diff line number	Diff line change
`@@ -116,8 +116,7 @@ namespace {`
`116`	`116`
`117`	`117`	`ObjectStore kv_store_handle(JSObject *obj) {`
`118`	`118`	`JS::Value val = JS::GetReservedSlot(obj, static_cast<uint32_t>(KVStore::Slots::KVStore));`
`119`		`- return ObjectStore(`
`120`		`- static_cast<fastly_compute_at_edge_fastly_object_store_handle_t>(val.toInt32()));`
	`119`	`+ return ObjectStore(val.toInt32());`
`121`	`120`	`}`
`122`	`121`
`123`	`122`	`bool parse_and_validate_key(JSContext cx, const char key, size_t len) {`