1 files changed, 198 insertions, 24 deletions
diff --git a/website/cmd/server/main.go b/website/cmd/server/main.go
index ac09550a9..9f0092ed6 100644
--- a/website/cmd/server/main.go
+++ b/website/cmd/server/main.go
@@ -20,9 +20,13 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"net/url"
 	"os"
+	"path"
 	"regexp"
 	"strings"
+
+	"github.com/google/pprof/driver"
 )
 
 var redirects = map[string]string{
@@ -58,19 +62,37 @@ var redirects = map[string]string{
 
 	// Deprecated, but links continue to work.
 	"/cl": "https://gvisor-review.googlesource.com",
+
+	// Access package documentation.
+	"/gvisor": "https://pkg.go.dev/gvisor.dev/gvisor",
+
+	// Code search root.
+	"/cs": "https://cs.opensource.google/gvisor/gvisor",
 }
 
-var prefixHelpers = map[string]string{
-	"change": "https://github.com/google/gvisor/commit/%s",
-	"issue":  "https://github.com/google/gvisor/issues/%s",
-	"issues": "https://github.com/google/gvisor/issues/%s",
-	"pr":     "https://github.com/google/gvisor/pull/%s",
+type prefixInfo struct {
+	baseURL      string
+	checkValidID bool
+	queryEscape  bool
+}
+
+var prefixHelpers = map[string]prefixInfo{
+	"change": {baseURL: "https://github.com/google/gvisor/commit/%s", checkValidID: true},
+	"issue":  {baseURL: "https://github.com/google/gvisor/issues/%s", checkValidID: true},
+	"issues": {baseURL: "https://github.com/google/gvisor/issues/%s", checkValidID: true},
+	"pr":     {baseURL: "https://github.com/google/gvisor/pull/%s", checkValidID: true},
 
 	// Redirects to compatibility docs.
-	"c/linux/amd64": "/docs/user_guide/compatibility/linux/amd64/#%s",
+	"c/linux/amd64": {baseURL: "/docs/user_guide/compatibility/linux/amd64/#%s", checkValidID: true},
 
 	// Deprecated, but links continue to work.
-	"cl": "https://gvisor-review.googlesource.com/c/gvisor/+/%s",
+	"cl": {baseURL: "https://gvisor-review.googlesource.com/c/gvisor/+/%s", checkValidID: true},
+
+	// Redirect to source documentation.
+	"gvisor": {baseURL: "https://pkg.go.dev/gvisor.dev/gvisor/%s"},
+
+	// Redirect to code search, with the path as the query.
+	"cs": {baseURL: "https://cs.opensource.google/search?q=%s&ss=gvisor", queryEscape: true},
 }
 
 var (
@@ -144,7 +166,7 @@ func hostRedirectHandler(h http.Handler) http.Handler {
 }
 
 // prefixRedirectHandler returns a handler that redirects to the given formated url.
-func prefixRedirectHandler(prefix, baseURL string) http.Handler {
+func prefixRedirectHandler(prefix string, info prefixInfo) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if p := r.URL.Path; p == prefix {
 			// Redirect /prefix/ to /prefix.
@@ -152,11 +174,14 @@ func prefixRedirectHandler(prefix, baseURL string) http.Handler {
 			return
 		}
 		id := r.URL.Path[len(prefix):]
-		if !validID.MatchString(id) {
+		if info.checkValidID && !validID.MatchString(id) {
 			http.Error(w, "Not found", http.StatusNotFound)
 			return
 		}
-		target := fmt.Sprintf(baseURL, id)
+		if info.queryEscape {
+			id = url.QueryEscape(id)
+		}
+		target := fmt.Sprintf(info.baseURL, id)
 		redirectWithQuery(w, r, target)
 	})
 }
@@ -168,30 +193,178 @@ func redirectHandler(target string) http.Handler {
 	})
 }
 
-// redirectRedirects registers redirect http handlers.
+// registerRedirects registers redirect http handlers.
 func registerRedirects(mux *http.ServeMux) {
-	if mux == nil {
-		mux = http.DefaultServeMux
-	}
-
-	for prefix, baseURL := range prefixHelpers {
+	for prefix, info := range prefixHelpers {
 		p := "/" + prefix + "/"
-		mux.Handle(p, hostRedirectHandler(wrappedHandler(prefixRedirectHandler(p, baseURL))))
+		mux.Handle(p, hostRedirectHandler(wrappedHandler(prefixRedirectHandler(p, info))))
 	}
-
 	for path, redirect := range redirects {
 		mux.Handle(path, hostRedirectHandler(wrappedHandler(redirectHandler(redirect))))
 	}
 }
 
-// registerStatic registers static file handlers
+// registerStatic registers static file handlers.
 func registerStatic(mux *http.ServeMux, staticDir string) {
-	if mux == nil {
-		mux = http.DefaultServeMux
-	}
 	mux.Handle("/", hostRedirectHandler(wrappedHandler(http.FileServer(http.Dir(staticDir)))))
 }
 
+// profileMeta implements synthetic flags for pprof.
+type profileMeta struct {
+	// Mux is the mux to register on.
+	Mux *http.ServeMux
+
+	// SourceURL is the source of the profile.
+	SourceURL string
+}
+
+func (*profileMeta) ExtraUsage() string                                   { return "" }
+func (*profileMeta) AddExtraUsage(string)                                 {}
+func (*profileMeta) Bool(_ string, def bool, _ string) *bool              { return &def }
+func (*profileMeta) Int(_ string, def int, _ string) *int                 { return &def }
+func (*profileMeta) Float64(_ string, def float64, _ string) *float64     { return &def }
+func (*profileMeta) StringList(_ string, def string, _ string) *[]*string { return new([]*string) }
+func (*profileMeta) String(option string, def string, _ string) *string {
+	switch option {
+	case "http":
+		// Only http is specified. Other options may be accessible via
+		// the web interface, so we just need to spoof a valid option
+		// here. The server is actually bound by HTTPServer, below.
+		value := "localhost:80"
+		return &value
+	case "symbolize":
+		// Don't attempt symbolization. Most profiles should come with
+		// mappings built-in to the profile itself.
+		value := "none"
+		return &value
+	default:
+		return &def // Default.
+	}
+}
+
+// Parse implements plugin.FlagSet.Parse.
+func (p *profileMeta) Parse(usage func()) []string {
+	// Just return the SourceURL. This is interpreted as the profile to
+	// download. We validate that the URL corresponds to a Google Cloud
+	// Storage URL below.
+	return []string{p.SourceURL}
+}
+
+// pprofFixedPrefix is used to limit the exposure to SSRF.
+//
+// See registerProfile below.
+const pprofFixedPrefix = "https://storage.googleapis.com/"
+
+// allowedBuckets enforces constraints on the pprof target.
+//
+// If the continuous integration system is changed in the future to use
+// additional buckets, they may be whitelisted here. See registerProfile.
+var allowedBuckets = map[string]bool{
+	"gvisor-buildkite": true,
+}
+
+// Target returns the URL target.
+func (p *profileMeta) Target() string {
+	return fmt.Sprintf("/profile/%s/", p.SourceURL[len(pprofFixedPrefix):])
+}
+
+// HTTPServer is a function passed to driver.PProf.
+func (p *profileMeta) HTTPServer(args *driver.HTTPServerArgs) error {
+	target := p.Target()
+	for subpath, handler := range args.Handlers {
+		handlerPath := path.Join(target, subpath)
+		if len(handlerPath) < len(target) {
+			// Don't clean the target, match only as the literal
+			// directory path in order to keep relative links
+			// working in the profile. E.g. /profile/foo/ is the
+			// base URL for the profile at https://.../foo.
+			//
+			// The base target typically shows the dot-based graph,
+			// which will not work in the image (due to the lack of
+			// a dot binary to execute). Therefore, we redirect to
+			// the flamegraph handler. Everything should otherwise
+			// work the exact same way, except the "Graph" link.
+			handlerPath = target
+			handler = redirectHandler(path.Join(handlerPath, "flamegraph"))
+		}
+		p.Mux.Handle(handlerPath, handler)
+	}
+	return nil
+}
+
+// registerProfile registers the profile handler.
+//
+// Note that this has a security surface worth considering.
+//
+// We are passed effectively a URL, which we fetch and parse,
+// then display the profile output. We limit the possibility of
+// SSRF by interpreting the URL strictly as a part to an object
+// in Google Cloud Storage, and further limit the buckets that
+// may be used. This contains the vast majority of concerns,
+// since objects must at least be uploaded by our CI system.
+//
+// However, we additionally consider the possibility that users
+// craft malicious profile objects (somehow) and pass those URLs
+// here as well. It seems feasible that we could parse a profile
+// that causes a crash (DOS), but this would be automatically
+// handled without a blip. It seems unlikely that we could parse a
+// profile that gives full code execution, but even so there is
+// nothing in this image except this code and CA certs. At worst,
+// code execution would enable someone to serve up content under the
+// web domain. This would be ephemeral with the specific instance,
+// and persisting such an attack would require constantly crashing
+// instances in whatever way gives remote code execution. Even if
+// this were possible, it's unlikely that exploiting such a crash
+// could be done so constantly and consistently.
+//
+// The user can also fill the "disk" of this container instance,
+// causing an OOM and a crash. This has similar semantics to the
+// DOS scenario above, and would just be handled by Cloud Run.
+//
+// Note that all of the above scenarios would require uploading
+// malicious profiles to controller buckets, and a clear audit
+// trail would exist in those cases.
+func registerProfile(mux *http.ServeMux) {
+	const urlPrefix = "/profile/"
+	mux.Handle(urlPrefix, hostRedirectHandler(wrappedHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Extract the URL; this is everything except the final /.
+		parts := strings.Split(r.URL.Path[len(urlPrefix):], "/")
+		if len(parts) == 0 {
+			http.Error(w, "Invalid URL: no bucket provided.", http.StatusNotFound)
+			return
+		}
+		if !allowedBuckets[parts[0]] {
+			http.Error(w, fmt.Sprintf("Invalid URL: not an allowed bucket (%s).", parts[0]), http.StatusNotFound)
+			return
+		}
+		url := pprofFixedPrefix + strings.Join(parts[:len(parts)-1], "/")
+		if url == pprofFixedPrefix {
+			http.Error(w, "Invalid URL: no path provided.", http.StatusNotFound)
+			return
+		}
+
+		// Set up the meta handler. This will modify the original mux
+		// accordingly, and we ultimately return a redirect that
+		// includes all the original arguments. This means that if we
+		// ever hit a server that does not have this profile loaded, it
+		// will load and redirect again.
+		meta := &profileMeta{
+			Mux:       mux,
+			SourceURL: url,
+		}
+		if err := driver.PProf(&driver.Options{
+			Flagset:    meta,
+			HTTPServer: meta.HTTPServer,
+		}); err != nil {
+			http.Error(w, fmt.Sprintf("Invalid profile: %v", err), http.StatusNotImplemented)
+			return
+		}
+
+		// Serve the path directly.
+		mux.ServeHTTP(w, r)
+	}))))
+}
+
 func envFlagString(name, def string) string {
 	if val := os.Getenv(name); val != "" {
 		return val
@@ -211,8 +384,9 @@ var (
 func main() {
 	flag.Parse()
 
-	registerRedirects(nil)
-	registerStatic(nil, *staticDir)
+	registerRedirects(http.DefaultServeMux)
+	registerStatic(http.DefaultServeMux, *staticDir)
+	registerProfile(http.DefaultServeMux)
 
 	log.Printf("Listening on %s...", *addr)
 	log.Fatal(http.ListenAndServe(*addr, nil))