Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: please turn the WASI returnOnExit option to default true #46923

Closed
HarikrishnanBalagopal opened this issue Mar 3, 2023 · 10 comments
Closed
Labels
feature request Issues that request new features to be added to Node.js. wasi Issues and PRs related to the WebAssembly System Interface.

Comments

@HarikrishnanBalagopal
Copy link

HarikrishnanBalagopal commented Mar 3, 2023

Feature Request

Overview

node/doc/api/wasi.md

Lines 139 to 142 in c4103c1

* `returnOnExit` {boolean} By default, WASI applications terminate the Node.js
process via the `__wasi_proc_exit()` function. Setting this option to `true`
causes `wasi.start()` to return the exit code rather than terminate the
process. **Default:** `false`.

node/lib/wasi.js

Lines 112 to 116 in c4103c1

if (options.returnOnExit !== undefined) {
validateBoolean(options.returnOnExit, 'options.returnOnExit');
if (options.returnOnExit)
wrap.proc_exit = FunctionPrototypeBind(wasiReturnOnProcExit, this);
}

The current behaviour is for the WASI/WASM module to exit the process when __wasi_proc_exit is called. Not only that, currently it also allows the WASI module to control the exit code.

This seems like a capability that should be explicitly provided to the module rather than something that is on by default. It's unintuitive that a process running in a sandbox would have the ability to crash the entire app without the caller giving it explicit permission to do so.

This is particularly an issue when running 3rd party modules since you rarely have a complete idea on when and where the module might call __wasi_proc_exit and with what exit codes.

Returning instead of exitting when a sandboxed process finishes aligns better with the principles of least privilege and secure by default.

Context

#46254 (comment)
https://github.com/nodejs/node/blob/main/test/wasi/test-return-on-exit.js

@VoltrexKeyva VoltrexKeyva added the wasi Issues and PRs related to the WebAssembly System Interface. label Mar 4, 2023
@bnoordhuis
Copy link
Member

@nodejs/wasi

@Trott Trott added the feature request Issues that request new features to be added to Node.js. label Mar 5, 2023
@mhdawson
Copy link
Member

@cjihrig what's your take on this? A default of true makes some sense to me but I'm sure you have more context.

@cjihrig
Copy link
Contributor

cjihrig commented Mar 28, 2023

I don't have strong feelings either way.

My only concern about making the default true is that the implementation of returnOnExit is currently pretty hacky. It monkey patches the WASI imports to throw a JavaScript Symbol that WASM cannot catch. If we were to make the default true, we should plumb the returnOnExit option to the native layer (ideally to here by making it an option on uvwasi_t).

EDIT: One thing that occurred to me is that we implemented the current hack because if proc_exit() did not exit the process, an assertion was raised (not from Node or uvwasi). If that assertion still exists, I'm not sure that we can cleanly return.

@cjihrig
Copy link
Contributor

cjihrig commented Mar 29, 2023

I brought this up in today's wasi team meeting. It sounds like our hacky approach is essentially the right way to go for now and we should change the default value of returnOnExit to true.

@mhdawson
Copy link
Member

@cjihrig I'm happy to put together a PR to change the default. It is potentially breaking though so I'm wondering if we should mark it SemVer Major even though the feature is experimental. What do you think. Also my plan would be to put the PR together early next week so it would not make the cutoff for 20.x

@tniessen
Copy link
Member

How about making it semver-minor and not backporting to 19.x and below?

@cjihrig
Copy link
Contributor

cjihrig commented Mar 30, 2023

WASI is still experimental in Node so we can change it at any time. But I do think not backporting it is a good idea.

@mhdawson
Copy link
Member

I like the suggestion as well. So we'll plan to mark semver-minor and then tag for don't backport to 19.x etc.

@mhdawson
Copy link
Member

I'll plan to submit a PR Friday or more likely Monday.

mhdawson added a commit to mhdawson/io.js that referenced this issue Apr 3, 2023
Refs: nodejs#46923

Signed-off-by: Michael Dawson <mdawson@devrus.com>
mhdawson added a commit to mhdawson/io.js that referenced this issue Apr 3, 2023
Refs: nodejs#46923

Signed-off-by: Michael Dawson <mdawson@devrus.com>
mhdawson added a commit to mhdawson/io.js that referenced this issue Apr 7, 2023
Refs: nodejs#46923

Signed-off-by: Michael Dawson <mdawson@devrus.com>
mhdawson added a commit that referenced this issue Apr 11, 2023
Refs: #46923

Signed-off-by: Michael Dawson <mdawson@devrus.com>

PR-URL: #47390
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this issue May 2, 2023
Refs: #46923

Signed-off-by: Michael Dawson <mdawson@devrus.com>

PR-URL: #47390
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
@mhdawson
Copy link
Member

I think this can be closed as the PR to switch the default has landed. Let me know if you think that was not the right thing to do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request Issues that request new features to be added to Node.js. wasi Issues and PRs related to the WebAssembly System Interface.
Projects
None yet
Development

No branches or pull requests

7 participants