25441446766

Committed 06 May 2026 02:26PM UTC coverage: 56.7% (-0.1%) from 56.83%

Build # 25441446766

Build Type

push

github

Committed by

web-flow

Commit Message

Vs security fix (#2106)

* VS Security fixes

* reformatting and update to trick sims

* cleanup

* more cleanup

* docs

* Test fix

* added stuff

* More stuff

* test fix

* trick sims update

* trick sims update2

* Rename to allowlist

* Remove returns for allow, disable, allow_all functions

* Change various function returns to bool

* Added free for getaddrinfo.

* Revise Variable Server documentation for security updates

Updated documentation to clarify that the variable server is disabled by default for security reasons and must be enabled prior to initialization. Enhanced security warnings regarding the potential risks of enabling the variable server.

* Warning update and moving adding localhost to after connections are allowed

* Clarify variable server disabled by default for security

Update documentation to clarify variable server security changes.

* Update default allowed IPs in Variable-Server.md

Clarified the default allowed IPs for the variable server.

* Add session deletion in VariableServerSessionThread_test

Fixed memory management by deleting session in the destructor.

---------

Co-authored-by: Brendan Fattig <brendan.fattig@nasa.gov>
Co-authored-by: Hong Chen <hchen99@users.noreply.github.com>
Co-authored-by: Sean Harmeyer <117398532+sharmeye@users.noreply.github.com>
Co-authored-by: Sean Harmeyer <sean.g.harmeyer@nasa.gov>

Coverage Stats

51 of 102 new or added lines in 4 files covered. (50.0%)

24 existing lines in 6 files now uncovered.

12902 of 22755 relevant lines covered (56.7%)

301334.0 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.29

/trick_source/sim_services/VariableServer/VariableServer.cpp


#include <netdb.h>
#include <iostream>
#include "trick/VariableServer.hh"
#include "trick/tc_proto.h"
#include "trick/Message_proto.hh"
#include "trick/message_proto.h"

Trick::VariableServer * the_vs ;

Trick::VariableServer::VariableServer() :
 enabled(false) ,
 info_msg(false),
 log(false),
 allow_connections(false),
 bypass_ip_check(false)
{
    the_vs = this ;
    pthread_mutex_init(&map_mutex, NULL);
}

Trick::VariableServer::~VariableServer() {
    the_vs = NULL;
}

void Trick::VariableServer::shutdownConnections() {
    listen_thread.shutdownConnections();
}

std::ostream& Trick::operator<< (std::ostream& s, Trick::VariableServer& vs) {
    std::map < pthread_t , VariableServerSessionThread * >::iterator it ;

    s << "{\"variable_server_connections\":[\n";
    int count = 0;
    int n_connections = (int)vs.var_server_threads.size();
    for ( it = vs.var_server_threads.begin() ; it != vs.var_server_threads.end() ; ++it ) {
        s << "{\n";
        s << *(*it).second;
        s << "}";
        if ((n_connections-count)>1) {
            s << "," ;
        }
        s << "\n";
        count ++;
    }
    s << "]}" << std::endl;
    return s;
}

bool Trick::VariableServer::get_enabled() {
    return enabled ;
}

void Trick::VariableServer::set_enabled(bool on_off) {
    enabled = on_off ;

    if(enabled) {
        message_publish(MSG_WARNING, "Trick VariableServer: Enabling the Variable Server. See Trick documentation for associated security concerns\n");
    }
}

bool Trick::VariableServer::get_info_msg() {
    return info_msg ;
}

void Trick::VariableServer::set_var_server_info_msg_on() {
    info_msg = true;
    for ( auto& session_it : var_server_sessions ) {
        session_it.second->set_info_message(info_msg);
    }
}

void Trick::VariableServer::set_var_server_info_msg_off() {
    info_msg = false;
    for ( auto& session_it : var_server_sessions ) {
        session_it.second->set_info_message(info_msg);
    }
}

bool Trick::VariableServer::get_log() {
    return log ;
}

bool Trick::VariableServer::get_session_log() {
    return session_log ;
}

void Trick::VariableServer::set_var_server_log_on() {
    log = true;
    // turn log on for all current vs clients
    for ( auto& session_it : var_server_sessions ) {
        session_it.second->set_log(true);
    }
}

void Trick::VariableServer::set_var_server_log_off() {
    log = false;
    // turn log off for all current vs clients
    for ( auto& session_it : var_server_sessions ) {
        session_it.second->set_log(false);
    }
}

void Trick::VariableServer::set_var_server_session_log_on() {
    session_log = true;
    // turn log on for all current vs clients
    for ( auto& session_it : var_server_sessions ) {
        session_it.second->set_session_log(true);
    }
}

void Trick::VariableServer::set_var_server_session_log_off() {
    session_log = false;
    // turn log off for all current vs clients
    for ( auto& session_it : var_server_sessions ) {
        session_it.second->set_session_log(false);
    }
}

const char * Trick::VariableServer::get_hostname() {
    return listen_thread.get_hostname();
}

Trick::VariableServerListenThread & Trick::VariableServer::get_listen_thread() {
    return listen_thread ;
}

void Trick::VariableServer::add_vst(pthread_t in_thread_id, VariableServerSessionThread * in_vst) {
    pthread_mutex_lock(&map_mutex) ;
    var_server_threads[in_thread_id] = in_vst ;
    pthread_mutex_unlock(&map_mutex) ;
}

void Trick::VariableServer::add_session(pthread_t in_thread_id, VariableServerSession * in_session) {
    pthread_mutex_lock(&map_mutex) ;
    var_server_sessions[in_thread_id] = in_session ;
    pthread_mutex_unlock(&map_mutex) ;
}

Trick::VariableServerSessionThread * Trick::VariableServer::get_vst(pthread_t thread_id) {
    std::map < pthread_t , Trick::VariableServerSessionThread * >::iterator it ;
    Trick::VariableServerSessionThread * ret = NULL ;
    pthread_mutex_lock(&map_mutex) ;
    it = var_server_threads.find(thread_id) ;
    if ( it != var_server_threads.end() ) {
        ret = (*it).second ;
    }
    pthread_mutex_unlock(&map_mutex) ;
    return ret ;
}

Trick::VariableServerSession * Trick::VariableServer::get_session(pthread_t thread_id) {
    Trick::VariableServerSession * ret = NULL ;
    pthread_mutex_lock(&map_mutex) ;
    auto it = var_server_sessions.find(thread_id) ;
    if ( it != var_server_sessions.end() ) {
        ret = (*it).second ;
    }
    pthread_mutex_unlock(&map_mutex) ;
    return ret ;
}

void Trick::VariableServer::delete_vst(pthread_t thread_id) {
    pthread_mutex_lock(&map_mutex) ;
    var_server_threads.erase(thread_id) ;
    pthread_mutex_unlock(&map_mutex) ;
}

void Trick::VariableServer::delete_session(pthread_t thread_id) {
    pthread_mutex_lock(&map_mutex) ;
    var_server_sessions.erase(thread_id) ;
    pthread_mutex_unlock(&map_mutex) ;
}

void Trick::VariableServer::set_copy_data_job( Trick::JobData * in_job ) {
    copy_data_job = in_job ;
}

void Trick::VariableServer::set_copy_and_write_freeze_job( Trick::JobData * in_job ) {
    copy_and_write_freeze_job = in_job ;
}

bool Trick::VariableServer::set_allow_connections(const bool& b) {
    if(b) {
        message_publish(MSG_WARNING, "Trick VariableServer: Enabling Variable Server Connectivity\n");
        add_ip("127.0.0.1");
    }

    return allow_connections = b ;
}

bool Trick::VariableServer::get_allow_connections() {
    return allow_connections ;
}

bool Trick::VariableServer::set_bypass_ip_check(const bool& b) {
    if(b) {
        message_publish(MSG_WARNING, "Trick VariableServer:\nBYPASSING IP SECURITY CHECK.\nANYONE ON THE NETWORK CAN CONNECT TO YOUR PYTHON INTERPRETER!\nYOU BETTER KNOW WHAT YOU'RE DOING!\n");
    }

    return bypass_ip_check = b ;
}

bool Trick::VariableServer::get_bypass_ip_check() {
    return bypass_ip_check ;
}

const std::set<std::string>& Trick::VariableServer::get_ip_allowlist() {
    return ip_allowlist ;
}

void Trick::VariableServer::add_ip(const std::string& ip) {
    std::string msg = "Trick VariableServer: Adding " + ip + " to the allowlist.\n" ;
    message_publish(MSG_INFO, msg.c_str()) ;

    ip_allowlist.insert(ip) ;
}

void Trick::VariableServer::remove_ip(const std::string& ip) {
    std::string msg = "Trick VariableServer: Removing " + ip + " from the allowlist.\n" ;
    message_publish(MSG_INFO, msg.c_str()) ;

    ip_allowlist.erase(ip) ;
}

bool Trick::VariableServer::check_ip(const std::string& ip) {
    bool valid = false;
    for (std::set<std::string>::iterator it = ip_allowlist.begin(); it != ip_allowlist.end(); ++it) {
        std::string entry = *it;
        size_t slash;

        struct in_addr addr;
        if (inet_pton(AF_INET, ip.c_str(), &addr) != 1) {
           return false;
        }
        uint32_t ipVal = ntohl(addr.s_addr);

        if( (slash = entry.find('/')) != std::string::npos ) {
            std::string network = entry.substr(0, slash);
            int prefix = std::stoi(entry.substr(slash + 1));

            if (inet_pton(AF_INET, network.c_str(), &addr) != 1) {
                continue;
            }
            uint32_t netVal = ntohl(addr.s_addr);

            uint32_t mask = (prefix == 0) ? 0 : (~0u << (32 - prefix));

            valid = (ipVal & mask) == (netVal & mask);
        }
        else {
            valid = (ip == entry);
        }

        if (valid) break ;
    }

    return valid;
}

void Trick::VariableServer::resolve_hostname() {
    if(enabled) {
        // Add your network IPs to the allowlist
        char hostname[256];
        if (gethostname(hostname, sizeof(hostname)) != 0) {
            return;
        }

        struct addrinfo hints{}, *res, *p;
        hints.ai_family = AF_INET;
        hints.ai_socktype = SOCK_STREAM;

        int status = getaddrinfo(hostname, nullptr, &hints, &res);
        if (status != 0) {
            return;
        }

        char ipstr[INET6_ADDRSTRLEN];
        for (p = res; p != nullptr; p = p->ai_next) {
            if (p->ai_family == AF_INET) {
                struct sockaddr_in *ipv4 = (struct sockaddr_in *)p->ai_addr;
                inet_ntop(p->ai_family, &(ipv4->sin_addr), ipstr, sizeof(ipstr));
                add_ip(ipstr);
            }
        }

        freeaddrinfo(res);
    }
}

1
2	#include <netdb.h>
3	#include <iostream>
4	#include "trick/VariableServer.hh"
5	#include "trick/tc_proto.h"
6	#include "trick/Message_proto.hh"
7	#include "trick/message_proto.h"
8
9	Trick::VariableServer * the_vs ;
10
11	Trick::VariableServer::VariableServer() :	210✔
12	enabled(false) ,
13	info_msg(false),
14	log(false),
15	allow_connections(false),
16	bypass_ip_check(false)	210✔
17	{
18	the_vs = this ;	210✔
19	pthread_mutex_init(&map_mutex, NULL);	210✔
20	}	210✔
21
22	Trick::VariableServer::~VariableServer() {	210✔
23	the_vs = NULL;	210✔
24	}	210✔
25
26	void Trick::VariableServer::shutdownConnections() {	187✔
27	listen_thread.shutdownConnections();	187✔
28	}	187✔
29
30	std::ostream& Trick::operator<< (std::ostream& s, Trick::VariableServer& vs) {	1✔
31	std::map < pthread_t , VariableServerSessionThread * >::iterator it ;	1✔
32
33	s << "{\"variable_server_connections\":[\n";	1✔
34	int count = 0;	1✔
35	int n_connections = (int)vs.var_server_threads.size();	1✔
36	for ( it = vs.var_server_threads.begin() ; it != vs.var_server_threads.end() ; ++it ) {	1✔
37	s << "{\n";	×
38	s << (it).second;	×
39	s << "}";	×
40	if ((n_connections-count)>1) {	×
41	s << "," ;	×
42	}
43	s << "\n";	×
44	count ++;	×
45	}
46	s << "]}" << std::endl;	1✔
47	return s;	1✔
48	}
49
50	bool Trick::VariableServer::get_enabled() {	2✔
51	return enabled ;	2✔
52	}
53
54	void Trick::VariableServer::set_enabled(bool on_off) {	21✔
55	enabled = on_off ;	21✔
56
57	if(enabled) {	21✔
58	message_publish(MSG_WARNING, "Trick VariableServer: Enabling the Variable Server. See Trick documentation for associated security concerns\n");	21✔
59	}
60	}	21✔
61
62	bool Trick::VariableServer::get_info_msg() {	10✔
63	return info_msg ;	10✔
64	}
65
66	void Trick::VariableServer::set_var_server_info_msg_on() {	1✔
67	info_msg = true;	1✔
68	for ( auto& session_it : var_server_sessions ) {	1✔
69	session_it.second->set_info_message(info_msg);	×
70	}
71	}	1✔
72
73	void Trick::VariableServer::set_var_server_info_msg_off() {	1✔
74	info_msg = false;	1✔
75	for ( auto& session_it : var_server_sessions ) {	1✔
76	session_it.second->set_info_message(info_msg);	×
77	}
78	}	1✔
79
80	bool Trick::VariableServer::get_log() {	9✔
81	return log ;	9✔
82	}
83
84	bool Trick::VariableServer::get_session_log() {	9✔
85	return session_log ;	9✔
86	}
87
88	void Trick::VariableServer::set_var_server_log_on() {	1✔
89	log = true;	1✔
90	// turn log on for all current vs clients
91	for ( auto& session_it : var_server_sessions ) {	2✔
92	session_it.second->set_log(true);	1✔
93	}
94	}	1✔
95
96	void Trick::VariableServer::set_var_server_log_off() {	1✔
97	log = false;	1✔
98	// turn log off for all current vs clients
99	for ( auto& session_it : var_server_sessions ) {	2✔
100	session_it.second->set_log(false);	1✔
101	}
102	}	1✔
103
104	void Trick::VariableServer::set_var_server_session_log_on() {	1✔
105	session_log = true;	1✔
106	// turn log on for all current vs clients
107	for ( auto& session_it : var_server_sessions ) {	2✔
108	session_it.second->set_session_log(true);	1✔
109	}
110	}	1✔
111
112	void Trick::VariableServer::set_var_server_session_log_off() {	1✔
113	session_log = false;	1✔
114	// turn log off for all current vs clients
115	for ( auto& session_it : var_server_sessions ) {	2✔
116	session_it.second->set_session_log(false);	1✔
117	}
118	}	1✔
119
120	const char * Trick::VariableServer::get_hostname() {	×
121	return listen_thread.get_hostname();	×
122	}
123
124	Trick::VariableServerListenThread & Trick::VariableServer::get_listen_thread() {	190✔
125	return listen_thread ;	190✔
126	}
127
128	void Trick::VariableServer::add_vst(pthread_t in_thread_id, VariableServerSessionThread * in_vst) {	8✔
129	pthread_mutex_lock(&map_mutex) ;	8✔
130	var_server_threads[in_thread_id] = in_vst ;	8✔
131	pthread_mutex_unlock(&map_mutex) ;	8✔
132	}	8✔
133
134	void Trick::VariableServer::add_session(pthread_t in_thread_id, VariableServerSession * in_session) {	12✔
135	pthread_mutex_lock(&map_mutex) ;	12✔
136	var_server_sessions[in_thread_id] = in_session ;	12✔
137	pthread_mutex_unlock(&map_mutex) ;	12✔
138	}	12✔
139
140	Trick::VariableServerSessionThread * Trick::VariableServer::get_vst(pthread_t thread_id) {	5✔
141	std::map < pthread_t , Trick::VariableServerSessionThread * >::iterator it ;	5✔
142	Trick::VariableServerSessionThread * ret = NULL ;	5✔
143	pthread_mutex_lock(&map_mutex) ;	5✔
144	it = var_server_threads.find(thread_id) ;	5✔
145	if ( it != var_server_threads.end() ) {	5✔
146	ret = (*it).second ;	5✔
147	}
148	pthread_mutex_unlock(&map_mutex) ;	5✔
149	return ret ;	5✔
150	}
151
152	Trick::VariableServerSession * Trick::VariableServer::get_session(pthread_t thread_id) {	1,069✔
153	Trick::VariableServerSession * ret = NULL ;	1,069✔
154	pthread_mutex_lock(&map_mutex) ;	1,069✔
155	auto it = var_server_sessions.find(thread_id) ;	1,069✔
156	if ( it != var_server_sessions.end() ) {	1,069✔
157	ret = (*it).second ;	37✔
158	}
159	pthread_mutex_unlock(&map_mutex) ;	1,069✔
160	return ret ;	1,069✔
161	}
162
163	void Trick::VariableServer::delete_vst(pthread_t thread_id) {	8✔
164	pthread_mutex_lock(&map_mutex) ;	8✔
165	var_server_threads.erase(thread_id) ;	8✔
166	pthread_mutex_unlock(&map_mutex) ;	8✔
167	}	8✔
168
169	void Trick::VariableServer::delete_session(pthread_t thread_id) {	7✔
170	pthread_mutex_lock(&map_mutex) ;	7✔
171	var_server_sessions.erase(thread_id) ;	7✔
172	pthread_mutex_unlock(&map_mutex) ;	7✔
173	}	7✔
174
175	void Trick::VariableServer::set_copy_data_job( Trick::JobData * in_job ) {	187✔
176	copy_data_job = in_job ;	187✔
177	}	187✔
178
179	void Trick::VariableServer::set_copy_and_write_freeze_job( Trick::JobData * in_job ) {	187✔
180	copy_and_write_freeze_job = in_job ;	187✔
181	}	187✔
182
183	bool Trick::VariableServer::set_allow_connections(const bool& b) {	217✔
184	if(b) {	217✔
185	message_publish(MSG_WARNING, "Trick VariableServer: Enabling Variable Server Connectivity\n");	30✔
186	add_ip("127.0.0.1");	30✔
187	}
188
189	return allow_connections = b ;	217✔
190	}
191
192	bool Trick::VariableServer::get_allow_connections() {	8✔
193	return allow_connections ;	8✔
194	}
195
196	bool Trick::VariableServer::set_bypass_ip_check(const bool& b) {	24✔
197	if(b) {	24✔
198	message_publish(MSG_WARNING, "Trick VariableServer:\nBYPASSING IP SECURITY CHECK.\nANYONE ON THE NETWORK CAN CONNECT TO YOUR PYTHON INTERPRETER!\nYOU BETTER KNOW WHAT YOU'RE DOING!\n");	24✔
199	}
200
201	return bypass_ip_check = b ;	24✔
202	}
203
204	bool Trick::VariableServer::get_bypass_ip_check() {	8✔
205	return bypass_ip_check ;	8✔
206	}
207
NEW 208	const std::set<std::string>& Trick::VariableServer::get_ip_allowlist() {	×
NEW 209	return ip_allowlist ;	×
210	}
211
212	void Trick::VariableServer::add_ip(const std::string& ip) {	36✔
213	std::string msg = "Trick VariableServer: Adding " + ip + " to the allowlist.\n" ;	72✔
214	message_publish(MSG_INFO, msg.c_str()) ;	36✔
215
216	ip_allowlist.insert(ip) ;	36✔
217	}	36✔
218
NEW 219	void Trick::VariableServer::remove_ip(const std::string& ip) {	×
NEW 220	std::string msg = "Trick VariableServer: Removing " + ip + " from the allowlist.\n" ;	×
NEW 221	message_publish(MSG_INFO, msg.c_str()) ;	×
222
NEW 223	ip_allowlist.erase(ip) ;	×
NEW 224	}	×
225
NEW 226	bool Trick::VariableServer::check_ip(const std::string& ip) {	×
NEW 227	bool valid = false;	×
NEW 228	for (std::set<std::string>::iterator it = ip_allowlist.begin(); it != ip_allowlist.end(); ++it) {	×
NEW 229	std::string entry = *it;	×
230	size_t slash;
231
232	struct in_addr addr;
NEW 233	if (inet_pton(AF_INET, ip.c_str(), &addr) != 1) {	×
NEW 234	return false;	×
235	}
NEW 236	uint32_t ipVal = ntohl(addr.s_addr);	×
237
NEW 238	if( (slash = entry.find('/')) != std::string::npos ) {	×
NEW 239	std::string network = entry.substr(0, slash);	×
NEW 240	int prefix = std::stoi(entry.substr(slash + 1));	×
241
NEW 242	if (inet_pton(AF_INET, network.c_str(), &addr) != 1) {	×
NEW 243	continue;	×
244	}
NEW 245	uint32_t netVal = ntohl(addr.s_addr);	×
246
NEW 247	uint32_t mask = (prefix == 0) ? 0 : (~0u << (32 - prefix));	×
248
NEW 249	valid = (ipVal & mask) == (netVal & mask);	×
250	}
251	else {
NEW 252	valid = (ip == entry);	×
253	}
254
NEW 255	if (valid) break ;	×
256	}
257
NEW 258	return valid;	×
259	}
260
261	void Trick::VariableServer::resolve_hostname() {	6✔
262	if(enabled) {	6✔
263	// Add your network IPs to the allowlist
264	char hostname[256];
265	if (gethostname(hostname, sizeof(hostname)) != 0) {	6✔
NEW 266	return;	×
267	}
268
269	struct addrinfo hints{}, res, p;	6✔
270	hints.ai_family = AF_INET;	6✔
271	hints.ai_socktype = SOCK_STREAM;	6✔
272
273	int status = getaddrinfo(hostname, nullptr, &hints, &res);	6✔
274	if (status != 0) {	6✔
NEW 275	return;	×
276	}
277
278	char ipstr[INET6_ADDRSTRLEN];
279	for (p = res; p != nullptr; p = p->ai_next) {	12✔
280	if (p->ai_family == AF_INET) {	6✔
281	struct sockaddr_in ipv4 = (struct sockaddr_in )p->ai_addr;	6✔
282	inet_ntop(p->ai_family, &(ipv4->sin_addr), ipstr, sizeof(ipstr));	6✔
283	add_ip(ipstr);	6✔
284	}
285	}
286
287	freeaddrinfo(res);	6✔
288	}
289	}

nasa / trick / 25441446766

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous