child_process: spawn() and spawnSync() validation

[cjihrig]

Checklist

• make -j4 test (UNIX), or vcbuild test nosign (Windows) passes
• tests and/or benchmarks are included
• commit message follows commit guidelines

Affected core subsystem(s)

child_process, src

Description of change

This PR is intended to fix#8096. The first commit prevents the abort from #8096 by verifying that the handle type is correct before trying to close it. This commit is semver-patch.

This leaves an uninformative EINVAL error being thrown due to the bad input. So, the second commit in this PR addresses that by producing more helpful errors in the JavaScript layer. In doing so, it better unifies the spawn() and spawnSync() input checking (which also nicely bubbles up to the other child_process methods). Additional spawnSync() specific checks are also provided. This commit is semver-major due to the changes in error messages.

The third commit removes redundant C++ type checks that are now done in the JS layer.

cc: @bnoordhuis, @targos, and @retrohacker from #8096

Fixes: #8096
Fixes: #8539

[Fishrock123]

Maybe a helper would be better?

[princejwesley]

Sounds like string, null and undefined are allowed.

On Aug 29, 2016 12:09 AM, "Jeremiah Senkpiel" [email protected]
wrote:

In lib/child_process.js
#8312 (comment):

@@ -329,6 +329,49 @@ function normalizeSpawnArguments(file /, args, options/){
else if (options === null || typeof options !== 'object')
throw new TypeError('"options" argument must be an object');

• // Validate the cwd, if present.
• if (options.cwd !== undefined &&

•  options.cwd !== null && 

•  !typeof options.cwd === 'string') 

Maybe a helper would be better? won't !typeof options.cwd === 'string'
cover all these 3 cases?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/nodejs/node/pull/8312/files/b4a6558fcbcf6cde50ff29af2d3487896ad91c68#r76536916,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABjB841u9wl3B9jlsDIb7RdsDKU0iWTcks5qkdXdgaJpZM4Ju-4I
.

[cjihrig]

Do you mean another function like isOptionalString() (where the optional part covers null and undefined)?

[bnoordhuis]

!typeof options.cwd === 'string' is always false, it should be !(typeof options.cwd === 'string') or (better) typeof options.cwd !== 'string'.

[cjihrig]

@bnoordhuis any opinion on the approach here?

[bnoordhuis]

The options.x !== undefined && options.x !== null clauses could be shortened to options.x != null and I'd probably put braces around the body of multi-line if statements.

Moving the validation logic to JS land basically LGTM though.

[bnoordhuis]

@cjihrig Ping.

[cjihrig]

I plan on getting back to this next week. Sorry for the delay.

[cjihrig]

@bnoordhuis updated, PTAL.

[cjihrig]

@bnoordhuis ping

[cjihrig]

ping @nodejs/collaborators

[sam-github]

I'll look at this, but because the test was added in the same commit as the additional checks, its hard to evaluate what is different, i.e., what the behaviour used to be. If the test was added, then the commit that changed the behaviour changed the test... it would be easy to understand the change.

[sam-github]

Many thumbs up for solid testing of these APIs, and better input validation.

cwd, detached, uid, gid are all implemented in normalizeSpawnArguments(), why aren't the tests in test/parallel/test-child-process-spawn-typeerror.js, instead of a new file?

Its not clear what tests should go where, and its also very difficult to determine what kind of test coverage there is, not in the line sense, but in the sense of: are the tests against spawnSync here valid for any of the other Sync calls? Any other spawn calls?

Its painful, but maybe the tests should be factored so they can be applied to all the child_process functions that use the same normalize? Or perhaps the tests should all just be in one file, with a comment in the test saying that even though it appears that only one API is tested, the underlying code is the same, so its hitting every API?

Unrelated to this PR, but I'm pretty disappointed that the arg permutation tests in test-child-process-spawn-typeerror.js were never extended to include *Sync, since arg permutations was such a rich source of bugs and inconsistencies, and I'm poking around, but I can't see any tests for their arg permutations.

But even though that problem is unrelated, its why I suggest that having the tests be organized in a way that its (EDIT) "easy" for a reader to verify the coverage scenarios is important.

[sam-github]

Does this have to be, literally, boolean? I would expect it to have to be truthy/falsy

[cjihrig]

It could probably be coerced to a Boolean, but the extra strictness is good IMO. Not that it matters much, but windowsVerbatimArguments isn't documented anyway, IIRC.

[sam-github]

I agree, its internal-only, so maybe not so important, and better to start strict. I don't agree strictness is generally good in this case, btw. It creates a bizarre API wherein truthy is sometimes true/false, sometimes null/undefined/0/"" are also false, sometimes not, and sometimes function/[]/{}/non-zero/"strings" are also true, and sometimes null or undefined are a "third way", neither true or false but some kind of other behaviour. Ouch. Anyhow, as a semi-private (but used by modules on npmjs.org none-the-less) API, I'm OK with this restriction.

[cjihrig]

cwd, detached, uid, gid are all implemented in normalizeSpawnArguments(), why aren't the tests in test/parallel/test-child-process-spawn-typeerror.js, instead of a new file?

I just did that because test-child-process-spawn-typeerror validates the types of the arguments passed in, but not specific properties (is options an object, but not specific values in options).

Its not clear what tests should go where, and its also very difficult to determine what kind of test coverage there is, not in the line sense, but in the sense of: are the tests against spawnSync here valid for any of the other Sync calls?

I agree that the tests are kind of all over the place. This PR is a step towards consolidating the behavior of spawn() and spawnSync(). Consolidating the tests would be a good followup.

Its painful, but maybe the tests should be factored so they can be applied to all the child_process functions that use the same normalize?

I think just about everything goes through normalizeSpawnArguments(), which is convenient.

[sam-github]

I just did that because test-child-process-spawn-typeerror validates the types of the arguments passed in, but not specific properties (is options an object, but not specific values in options).

The tests you add seemed like an obvious candidate to be in a "spawn typeerror" test, but I understand the distinction you draw above.

If you do draw that distinction, my request is that the name of the tests (and a comment at their top) clearly communicate it: the names/comments should indicate what that test is for, so that we don't get diffusion and confusion of tests over time.

For example:

• test-child-process-spawn-typeerror could perhaps be test-child-process-argument-permutations (with an XXX comment pointing out that the *Sync APIs are currently untested for permutation).
• test-child-process-spawnsync-validation-errors.js could be test-child-process-validation-errors.js (with a comment pointing out that while it doesn't explicitly test all the child_process APIs, that the underlying code is currently the same so they all inherit the same behaviour - or else just explicitly test them all so the tests are robust in the face of future refactors).

I suggest a rename like this because it would be a disaster if someone created a test-child-process-spawn-validation-errors.js (note the lack of sync) that had different validations in it than the spawnsync version you just made... the validations need to be in one place, so that the tests enforce consistent behaviour across the child_process API. For example, uid shouldn't be asserted to be integral for one API, but just a Number for another, and to be any Number except NaN for yet a third (which was the kind of situation we used to have).

[sam-github]

Assert NaN is not valid. Ditto below.

[sam-github]

0 and 1 are usually acceptable as truthy values, I think they should be accepted here.

[bnoordhuis]

I'd personally go for strict.

[bnoordhuis]

LGTM. Good test coverage.

[bnoordhuis]

I'd personally go for strict.

[thefourtheye]

Nit: If the input is an empty string, the error message might not be exactly appropriate.

[cjihrig]

Updated to specify "non-empty string"

[cjihrig]

CI: https://ci.nodejs.org/job/node-test-pull-request/5539/

New CI because Windows: https://ci.nodejs.org/job/node-test-pull-request/5545/

[cjihrig]

CI is all green.

[cjihrig]

Landed in b374ee8 (semver patch), fc7b0dd, and 45c9ca7.

[MylesBorins]

@Fishrock123 the bot should likely not be adding lts labels to anything labelled semver major

[Fishrock123]

@MylesBorins see nodejs/github-bot#105