soulbird opened a new issue #6729: URL: https://github.com/apache/apisix/issues/6729
### Description I noticed that the serverless plugin allows users to run custom functions, but it doesn't seem to have any restrictions. Some illegal code of the user may cause the apisix service to be unavailable. for example ```bash curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/index.html", "plugins": { "serverless-pre-function": { "phase": "rewrite", "functions" : ["return function() ngx.ctx.api_ctx = nil; end"] } }, "upstream": { "type": "roundrobin", "nodes": { "127.0.0.1:1980": 1 } } }' ``` And when you request apisix, it won't work ```bash curl -v http://127.0.0.1:9080/index.html * Trying 127.0.0.1:9080... * Connected to 127.0.0.1 (127.0.0.1) port 9080 (#0) > GET /index.html HTTP/1.1 > Host: 127.0.0.1:9080 > User-Agent: curl/7.77.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 500 Internal Server Error < Date: Sun, 27 Mar 2022 02:28:10 GMT < Content-Type: text/html; charset=utf-8 < Transfer-Encoding: chunked < Connection: close < Server: APISIX/2.12.0 < <!DOCTYPE html> <html> <head> <meta content="text/html;charset=utf-8" http-equiv="Content-Type"> <meta content="utf-8" http-equiv="encoding"> <title>500 Internal Server Error</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> ``` This is just a simple example, hackers may have many more ways to exploit this vulnerability to attack your system. So, I think apisix can make some restrictions on custom functions in serverless plugins to ensure that they run in a more secure environment. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
