feat(plugin): add exec_cmd helper for executing command in host #666
Conversation
|
Hey, just to chime in here. While I think this is a really cool feature to have (I think it can also be pretty great to allow plugins to spawn new panes with arbitrary commands or terminals in them), I'm a little worried about security concerns. We discussed things such as this in the past and agreed that before implementing this we need some sort of permission system. In the least something that when you load the plugin alerts you that this plugin has permissions to run arbitrary commands on your machine, giving you the chance to back down. |
tw4452852
force-pushed
the
exec_cmd
branch
2 times, most recently
from
c713bbc
to
b7b52ed
Compare
|
Hi @imsnif , I've added a flag to allow the plugin to run host command (forbidden by default). Can you give it another look? |
tw4452852
force-pushed
the
exec_cmd
branch
2 times, most recently
from
5afa69f
to
0152498
Compare
|
Hey @tw4452852 - sorry for the misunderstanding. I didn't mean to add a flag that would allow all plugins to execute commands. That might be quite dangerous I find. I was thinking right now to do something like add this to the layout where we load the plugin. Maybe under "run"? |
|
Hi @imsnif , Sorry, I misunderstood, thanks for your advice anyway. How about adding the flag under "plugin"? Because it only applies to plugins I think. Like this: |
|
@tw4452852 - sounds great! |
|
@imsnif |
There was a problem hiding this comment.
Hey @tw4452852 ! Thank you for all of your excellent work here! I left a couple of small comments, but there is really just one thing we need to address before finally merging this!
Right now there is actually a pretty major security hole: everything in shim.rs is just convenience code for the plugins and isn't actually needed to write a plugin (it wouldn't be used at all in non-Rust plugins, for example). That means that any plugin can just directly call the host_exec_cmd without checking permissions.
I'll leave some comments with more details, but we essentially need to move the permissions check to the host side of things.
zellij-tile/src/shim.rs
Outdated
| @@ -37,6 +45,14 @@ pub fn open_file(path: &Path) { | |||
| pub fn set_timeout(secs: f64) { | |||
| unsafe { host_set_timeout(secs) }; | |||
| } | |||
| pub fn exec_cmd(cmd: &[String]) -> Result<(), PermissionDenied> { | |||
There was a problem hiding this comment.
I don't think we need the Result here and I'd be fine with things failing silently (we don't currently have a way to see if the command was run successfully, even if we did have permissions).
I'd personally just return nothing here, but if you disagree, just let me know!
There was a problem hiding this comment.
I'd personally prefer to return something if we wait for the command exit, users may know if it's successful or not.
But right now, we don't wait for the command to finish, so I agree with your opinion for simplicity.
There was a problem hiding this comment.
@tw4452852 I totally agree :) I'd like to monitor the running of the command eventually, but I'm not sure how we'll do that just yet, so maybe it's best for a second PR :)
There was a problem hiding this comment.
I originally wanted to return the exit code which indicates the success or not. But I'm not sure if this is enough or general. Let's hold on to this for this moment now.
|
Hi @TheLostLambda , Thanks a lot for your review, they're really good advice, I adopt them all. |
|
Thanks for your review comments. In the latest version, I also add more context to the log (the plugin's name and the command to run) for better debugging. |
Signed-off-by: Tw <wei.tan@intel.com> Signed-off-by: Tw <tw19881113@gmail.com>
|
Additionally, @tw4452852 if you can't actually press the merge button, even after approval, just let me know and I'll merge for you! |
|
Hi @TheLostLambda |
|
No worries, all merged! |
Signed-off-by: Tw wei.tan@intel.com