vane 0.9.0

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292

/* src/plugins/system/exec.rs */

use crate::common::config::env_loader;
use crate::engine::interfaces::{MiddlewareOutput, ResolvedInputs};
use crate::plugins::core::external;
use anyhow::Result;
use fancy_log::{LogLevel, log};
use std::collections::HashMap;
use std::process::Stdio;
use std::time::Duration;
use tokio::io::AsyncWriteExt;
use tokio::process::Command;
use tokio::time::timeout;

pub async fn execute(
	program: &str,
	args: &[String],
	env: &HashMap<String, String>,
	inputs: ResolvedInputs,
) -> Result<MiddlewareOutput> {
	// SEC-2: Enforce trusted bin root validation at runtime.
	let resolved_program = match external::validate_command_path(program).await {
		Ok(p) => p,
		Err(e) => {
			log(
				LogLevel::Error,
				&format!("✗ Security violation during plugin execution: {e}"),
			);
			return Ok(MiddlewareOutput {
				branch: "failure".into(),
				store: None,
			});
		}
	};

	let timeout_secs = env_loader::get_env("FLOW_EXECUTION_TIMEOUT_SECS", "10".to_owned())
		.parse::<u64>()
		.unwrap_or(10);

	log(
		LogLevel::Debug,
		&format!(
			"➜ Spawning external command (timeout {}s): {} {:?}",
			timeout_secs,
			resolved_program.display(),
			args
		),
	);

	let mut cmd = Command::new(resolved_program);
	cmd.args(args);

	// SEC-3: Sanitize environment variables
	let allow_linker =
		env_loader::get_env("ALLOW_EXTERNAL_LINKER_ENV", "false".to_owned()).to_lowercase() == "true";
	let allow_runtime =
		env_loader::get_env("ALLOW_EXTERNAL_RUNTIME_ENV", "false".to_owned()).to_lowercase() == "true";
	let allow_shell =
		env_loader::get_env("ALLOW_EXTERNAL_SHELL_ENV", "false".to_owned()).to_lowercase() == "true";
	let allow_path_append = env_loader::get_env("ALLOW_EXTERNAL_PATH_ENV_APPEND", "false".to_owned())
		.to_lowercase()
		== "true";

	let mut sanitized_env = HashMap::new();

	for (key, value) in env {
		let k_up = key.to_uppercase();

		// Category 1: Linker (LD_*, DYLD_*, etc.)
		let is_linker = k_up.starts_with("LD_")
			|| k_up.starts_with("DYLD_")
			|| k_up.starts_with("_RLD_")
			|| k_up == "SHLIB_PATH"
			|| k_up == "LIBPATH";
		if is_linker {
			if allow_linker {
				sanitized_env.insert(key.clone(), value.clone());
			} else {
				log(
					LogLevel::Warn,
					&format!(
						"⚠ Security: Dropped Linker env var '{key}' (ALLOW_EXTERNAL_LINKER_ENV is false)"
					),
				);
			}
			continue;
		}

		// Category 2: Runtime (PYTHON*, NODE_*, etc.)
		let is_runtime = k_up.starts_with("PYTHON")
			|| k_up.starts_with("NODE_")
			|| k_up.starts_with("PERL")
			|| k_up.starts_with("RUBY")
			|| k_up.starts_with("JAVA_")
			|| k_up == "CLASSPATH";
		if is_runtime {
			if allow_runtime {
				sanitized_env.insert(key.clone(), value.clone());
			} else {
				log(
					LogLevel::Warn,
					&format!(
						"⚠ Security: Dropped Runtime env var '{key}' (ALLOW_EXTERNAL_RUNTIME_ENV is false)"
					),
				);
			}
			continue;
		}

		// Category 3: Shell (IFS, ENV, etc.)
		let is_shell = k_up == "IFS" || k_up == "ENV" || k_up == "BASH_ENV" || k_up == "SHELLOPTS";
		if is_shell {
			if allow_shell {
				sanitized_env.insert(key.clone(), value.clone());
			} else {
				log(
					LogLevel::Warn,
					&format!("⚠ Security: Dropped Shell env var '{key}' (ALLOW_EXTERNAL_SHELL_ENV is false)"),
				);
			}
			continue;
		}

		// Category 4: Path
		if k_up == "PATH" {
			if allow_path_append {
				let system_path = std::env::var("PATH").unwrap_or_default();
				let separator = if cfg!(windows) { ";" } else { ":" };
				let new_path = format!("{system_path}{separator}{value}");
				sanitized_env.insert(key.clone(), new_path);
				log(
					LogLevel::Debug,
					&format!("⚙ Appended user PATH to system PATH for plugin '{program}'"),
				);
			} else {
				log(
					LogLevel::Warn,
					&format!(
						"⚠ Security: Dropped PATH env var from plugin '{program}' (ALLOW_EXTERNAL_PATH_ENV_APPEND is false)"
					),
				);
			}
			continue;
		}

		// Other variables: Pass through
		sanitized_env.insert(key.clone(), value.clone());
	}

	cmd.envs(sanitized_env);
	cmd.stdin(Stdio::piped());
	cmd.stdout(Stdio::piped());
	// Refactor: Capture stderr to pipe instead of inheriting directly to terminal.
	// This allows us to wrap plugin logs with Vane's logging system.
	cmd.stderr(Stdio::piped());

	let mut child = match cmd.spawn() {
		Ok(c) => c,
		Err(e) => {
			log(
				LogLevel::Error,
				&format!("✗ Failed to spawn plugin process '{program}': {e}"),
			);
			return Ok(MiddlewareOutput {
				branch: "failure".into(),
				store: None,
			});
		}
	};

	// Write inputs to Stdin
	let mut input_payload = serde_json::to_vec(&inputs)?;
	input_payload.push(b'\n');

	if let Some(mut stdin) = child.stdin.take()
		&& let Err(e) = stdin.write_all(&input_payload).await
	{
		log(
			LogLevel::Error,
			&format!("✗ Failed to write to plugin stdin: {e}"),
		);
		let _ = child.kill().await;
		return Ok(MiddlewareOutput {
			branch: "failure".into(),
			store: None,
		});
	}

	// Wait for output (captures stdout and stderr) with timeout
	// We handle this manually because wait_with_output consumes the child object.
	let Some(stdout) = child.stdout.take() else {
		log(
			LogLevel::Error,
			&format!("✗ Failed to take stdout from plugin process '{program}'"),
		);
		let _ = child.kill().await;
		return Ok(MiddlewareOutput {
			branch: "failure".into(),
			store: None,
		});
	};
	let Some(stderr) = child.stderr.take() else {
		log(
			LogLevel::Error,
			&format!("✗ Failed to take stderr from plugin process '{program}'"),
		);
		let _ = child.kill().await;
		return Ok(MiddlewareOutput {
			branch: "failure".into(),
			store: None,
		});
	};

	let mut stdout_res = Vec::new();
	let mut stderr_res = Vec::new();

	let mut stdout_reader = tokio::io::BufReader::new(stdout);
	let mut stderr_reader = tokio::io::BufReader::new(stderr);

	let process_future = async {
		let (out_res, err_res, status_res) = tokio::join!(
			tokio::io::AsyncReadExt::read_to_end(&mut stdout_reader, &mut stdout_res),
			tokio::io::AsyncReadExt::read_to_end(&mut stderr_reader, &mut stderr_res),
			child.wait()
		);
		out_res.and(err_res).and(status_res)
	};

	let Ok(res) = timeout(Duration::from_secs(timeout_secs), process_future).await else {
		log(
			LogLevel::Error,
			&format!("✗ Plugin process '{program}' timed out after {timeout_secs}s. Killing child."),
		);
		let _ = child.kill().await;
		return Ok(MiddlewareOutput {
			branch: "failure".into(),
			store: None,
		});
	};

	let exit_status = match res {
		Ok(s) => s,
		Err(e) => {
			log(
				LogLevel::Error,
				&format!("✗ Plugin process '{program}' failed: {e}"),
			);
			return Ok(MiddlewareOutput {
				branch: "failure".into(),
				store: None,
			});
		}
	};

	// Refactor: Process captured stderr and log as Debug level.
	if !stderr_res.is_empty() {
		let stderr_output = String::from_utf8_lossy(&stderr_res);
		for line in stderr_output.lines() {
			if !line.trim().is_empty() {
				log(LogLevel::Debug, line);
			}
		}
	}

	if !exit_status.success() {
		log(
			LogLevel::Error,
			&format!("✗ Plugin process '{program}' exited with error status: {exit_status}"),
		);
		return Ok(MiddlewareOutput {
			branch: "failure".into(),
			store: None,
		});
	}

	// Parse Stdout as MiddlewareOutput
	let result: MiddlewareOutput = match serde_json::from_slice(&stdout_res) {
		Ok(r) => r,
		Err(e) => {
			log(
				LogLevel::Error,
				&format!("✗ Failed to parse output JSON from plugin '{program}': {e}"),
			);
			return Ok(MiddlewareOutput {
				branch: "failure".into(),
				store: None,
			});
		}
	};

	Ok(result)
}