mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-05-17 10:41:49 +02:00
Compare commits
6 commits
177bc735b6
...
095564f1c9
| Author | SHA1 | Date | |
|---|---|---|---|
| 095564f1c9 | |||
|
02602b072a | ||
|
|
acf20ef700 | ||
|
|
3499010d8e | ||
|
|
2423fc18c5 | ||
|
|
9f3fd48961 |
12 changed files with 123 additions and 37 deletions
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
|
|
@ -29,7 +29,7 @@ env:
|
|||
jobs:
|
||||
build-dev-environment:
|
||||
name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
strategy:
|
||||
matrix:
|
||||
include:
|
||||
|
|
|
|||
23
.github/workflows/check_push.yml
vendored
Normal file
23
.github/workflows/check_push.yml
vendored
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
name: Check branch conformity
|
||||
on:
|
||||
pull_request:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "test/**"
|
||||
|
||||
jobs:
|
||||
prevent-fixup-commits:
|
||||
runs-on: ubuntu-24
|
||||
env:
|
||||
target: debian-bookworm
|
||||
distro: debian
|
||||
version: bookworm
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- name: prevent fixup commits
|
||||
run: |
|
||||
git fetch origin
|
||||
git status
|
||||
git log --pretty=format:%s origin/main..HEAD | grep -ie '^fixup\|^wip' && exit 1 || true
|
||||
15
.github/workflows/check_repos.yml
vendored
15
.github/workflows/check_repos.yml
vendored
|
|
@ -10,11 +10,15 @@ on:
|
|||
schedule:
|
||||
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "test/**"
|
||||
|
||||
jobs:
|
||||
install-from-apt-repo:
|
||||
name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
container: ${{ matrix.distro }}:${{ matrix.version }}
|
||||
strategy:
|
||||
matrix:
|
||||
|
|
@ -53,8 +57,13 @@ jobs:
|
|||
gpg --keyserver hkps://keys.openpgp.org \
|
||||
--no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
|
||||
--recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
|
||||
|
||||
# Export the GPG key in armor mode because sequoia needs it this way
|
||||
# (sqv is used on debian trixie by default to check the keys)
|
||||
mkdir -p /etc/apt/keyrings/
|
||||
mv fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings
|
||||
gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
|
||||
--armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
|
||||
> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
|
||||
|
||||
- name: Add packages.freedom.press to our APT sources
|
||||
run: |
|
||||
|
|
@ -70,7 +79,7 @@ jobs:
|
|||
|
||||
install-from-yum-repo:
|
||||
name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
container: ${{ matrix.distro }}:${{ matrix.version }}
|
||||
strategy:
|
||||
matrix:
|
||||
|
|
|
|||
12
.github/workflows/ci.yml
vendored
12
.github/workflows/ci.yml
vendored
|
|
@ -27,7 +27,7 @@ concurrency:
|
|||
|
||||
jobs:
|
||||
run-lint:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
container:
|
||||
image: debian:bookworm
|
||||
steps:
|
||||
|
|
@ -78,7 +78,7 @@ jobs:
|
|||
|
||||
download-tessdata:
|
||||
name: Download and cache Tesseract data
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Cache Tessdata
|
||||
|
|
@ -183,7 +183,7 @@ jobs:
|
|||
needs:
|
||||
- build-container-image
|
||||
name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
strategy:
|
||||
matrix:
|
||||
include:
|
||||
|
|
@ -250,7 +250,7 @@ jobs:
|
|||
|
||||
install-deb:
|
||||
name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
needs:
|
||||
- build-deb
|
||||
strategy:
|
||||
|
|
@ -305,7 +305,7 @@ jobs:
|
|||
|
||||
build-install-rpm:
|
||||
name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
needs:
|
||||
- build-container-image
|
||||
strategy:
|
||||
|
|
@ -377,7 +377,7 @@ jobs:
|
|||
|
||||
run-tests:
|
||||
name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
needs:
|
||||
- build-container-image
|
||||
- download-tessdata
|
||||
|
|
|
|||
6
.github/workflows/close-issues.yml
vendored
6
.github/workflows/close-issues.yml
vendored
|
|
@ -2,10 +2,14 @@ name: Close inactive issues
|
|||
on:
|
||||
schedule:
|
||||
- cron: "30 1 * * *"
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "test/**"
|
||||
|
||||
jobs:
|
||||
close-issues:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
permissions:
|
||||
issues: write
|
||||
steps:
|
||||
|
|
|
|||
5
.github/workflows/scan.yml
vendored
5
.github/workflows/scan.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
push:
|
||||
branches:
|
||||
- main
|
||||
- "test/**"
|
||||
pull_request:
|
||||
schedule:
|
||||
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
||||
|
|
@ -10,7 +11,7 @@ on:
|
|||
|
||||
jobs:
|
||||
security-scan-container:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
|
@ -54,7 +55,7 @@ jobs:
|
|||
severity-cutoff: critical
|
||||
|
||||
security-scan-app:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
|
|
|||
8
.github/workflows/scan_released.yml
vendored
8
.github/workflows/scan_released.yml
vendored
|
|
@ -1,5 +1,9 @@
|
|||
name: Scan released app and container
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "test/**"
|
||||
schedule:
|
||||
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
||||
workflow_dispatch:
|
||||
|
|
@ -9,7 +13,7 @@ jobs:
|
|||
strategy:
|
||||
matrix:
|
||||
include:
|
||||
- runs-on: ubuntu-latest
|
||||
- runs-on: ubuntu-24
|
||||
arch: i686
|
||||
# Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
|
||||
# - runs-on: macos-latest
|
||||
|
|
@ -55,7 +59,7 @@ jobs:
|
|||
severity-cutoff: critical
|
||||
|
||||
security-scan-app:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-24
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
|
|
|||
|
|
@ -94,7 +94,9 @@ gpg --keyserver hkps://keys.openpgp.org \
|
|||
--no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
|
||||
--recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
|
||||
sudo mkdir -p /etc/apt/keyrings/
|
||||
sudo mv fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings
|
||||
sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
|
||||
--armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
|
||||
> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
|
||||
```
|
||||
|
||||
Add the URL of the repo in your APT sources:
|
||||
|
|
|
|||
|
|
@ -42,6 +42,12 @@ def print_header(s: str) -> None:
|
|||
type=click.UNPROCESSED,
|
||||
callback=args.validate_input_filenames,
|
||||
)
|
||||
@click.option(
|
||||
"--debug",
|
||||
"debug",
|
||||
flag_value=True,
|
||||
help="Run Dangerzone in debug mode, to get logs from gVisor.",
|
||||
)
|
||||
@click.version_option(version=get_version(), message="%(version)s")
|
||||
@errors.handle_document_errors
|
||||
def cli_main(
|
||||
|
|
@ -50,6 +56,7 @@ def cli_main(
|
|||
filenames: List[str],
|
||||
archive: bool,
|
||||
dummy_conversion: bool,
|
||||
debug: bool,
|
||||
) -> None:
|
||||
setup_logging()
|
||||
|
||||
|
|
@ -58,7 +65,7 @@ def cli_main(
|
|||
elif is_qubes_native_conversion():
|
||||
dangerzone = DangerzoneCore(Qubes())
|
||||
else:
|
||||
dangerzone = DangerzoneCore(Container())
|
||||
dangerzone = DangerzoneCore(Container(debug=debug))
|
||||
|
||||
display_banner()
|
||||
if len(filenames) == 1 and output_filename:
|
||||
|
|
|
|||
|
|
@ -5,7 +5,9 @@ import platform
|
|||
import signal
|
||||
import subprocess
|
||||
import sys
|
||||
import threading
|
||||
from abc import ABC, abstractmethod
|
||||
from io import BytesIO
|
||||
from typing import IO, Callable, Iterator, Optional
|
||||
|
||||
import fitz
|
||||
|
|
@ -18,10 +20,6 @@ from ..util import get_tessdata_dir, replace_control_chars
|
|||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
MAX_CONVERSION_LOG_CHARS = 150 * 50 # up to ~150 lines of 50 characters
|
||||
DOC_TO_PIXELS_LOG_START = "----- DOC TO PIXELS LOG START -----"
|
||||
DOC_TO_PIXELS_LOG_END = "----- DOC TO PIXELS LOG END -----"
|
||||
|
||||
TIMEOUT_EXCEPTION = 15
|
||||
TIMEOUT_GRACE = 15
|
||||
TIMEOUT_FORCE = 5
|
||||
|
|
@ -75,9 +73,9 @@ def read_int(f: IO[bytes]) -> int:
|
|||
return int.from_bytes(untrusted_int, "big", signed=False)
|
||||
|
||||
|
||||
def read_debug_text(f: IO[bytes], size: int) -> str:
|
||||
"""Read arbitrarily long text (for debug purposes), and sanitize it."""
|
||||
untrusted_text = f.read(size).decode("ascii", errors="replace")
|
||||
def sanitize_debug_text(text: bytes) -> str:
|
||||
"""Read all the buffer and return a sanitized version"""
|
||||
untrusted_text = text.decode("ascii", errors="replace")
|
||||
return replace_control_chars(untrusted_text, keep_newlines=True)
|
||||
|
||||
|
||||
|
|
@ -86,12 +84,16 @@ class IsolationProvider(ABC):
|
|||
Abstracts an isolation provider
|
||||
"""
|
||||
|
||||
def __init__(self) -> None:
|
||||
if getattr(sys, "dangerzone_dev", False) is True:
|
||||
def __init__(self, debug: bool = False) -> None:
|
||||
self.debug = debug
|
||||
if self.should_capture_stderr():
|
||||
self.proc_stderr = subprocess.PIPE
|
||||
else:
|
||||
self.proc_stderr = subprocess.DEVNULL
|
||||
|
||||
def should_capture_stderr(self) -> bool:
|
||||
return self.debug or getattr(sys, "dangerzone_dev", False)
|
||||
|
||||
@abstractmethod
|
||||
def install(self) -> bool:
|
||||
pass
|
||||
|
|
@ -327,7 +329,11 @@ class IsolationProvider(ABC):
|
|||
timeout_force: int = TIMEOUT_FORCE,
|
||||
) -> Iterator[subprocess.Popen]:
|
||||
"""Start a conversion process, pass it to the caller, and then clean it up."""
|
||||
# Store the proc stderr in memory
|
||||
stderr = BytesIO()
|
||||
p = self.start_doc_to_pixels_proc(document)
|
||||
stderr_thread = self.start_stderr_thread(p, stderr)
|
||||
|
||||
if platform.system() != "Windows":
|
||||
assert os.getpgid(p.pid) != os.getpgid(
|
||||
os.getpid()
|
||||
|
|
@ -343,15 +349,40 @@ class IsolationProvider(ABC):
|
|||
document, p, timeout_grace=timeout_grace, timeout_force=timeout_force
|
||||
)
|
||||
|
||||
# Read the stderr of the process only if:
|
||||
# * Dev mode is enabled.
|
||||
# * The process has exited (else we risk hanging).
|
||||
if getattr(sys, "dangerzone_dev", False) and p.poll() is not None:
|
||||
assert p.stderr
|
||||
debug_log = read_debug_text(p.stderr, MAX_CONVERSION_LOG_CHARS)
|
||||
if stderr_thread:
|
||||
# Wait for the thread to complete. If it's still alive, mention it in the debug log.
|
||||
stderr_thread.join(timeout=1)
|
||||
|
||||
debug_bytes = stderr.getvalue()
|
||||
debug_log = sanitize_debug_text(debug_bytes)
|
||||
|
||||
incomplete = "(incomplete) " if stderr_thread.is_alive() else ""
|
||||
|
||||
log.info(
|
||||
"Conversion output (doc to pixels)\n"
|
||||
f"{DOC_TO_PIXELS_LOG_START}\n"
|
||||
f"----- DOC TO PIXELS LOG START {incomplete}-----\n"
|
||||
f"{debug_log}" # no need for an extra newline here
|
||||
f"{DOC_TO_PIXELS_LOG_END}"
|
||||
"----- DOC TO PIXELS LOG END -----"
|
||||
)
|
||||
|
||||
def start_stderr_thread(
|
||||
self, process: subprocess.Popen, stderr: IO[bytes]
|
||||
) -> Optional[threading.Thread]:
|
||||
"""Start a thread to read stderr from the process"""
|
||||
|
||||
def _stream_stderr(process_stderr: IO[bytes]) -> None:
|
||||
try:
|
||||
for line in process_stderr:
|
||||
stderr.write(line)
|
||||
except (ValueError, IOError) as e:
|
||||
log.debug(f"Stderr stream closed: {e}")
|
||||
|
||||
if process.stderr:
|
||||
stderr_thread = threading.Thread(
|
||||
target=_stream_stderr,
|
||||
args=(process.stderr,),
|
||||
daemon=True,
|
||||
)
|
||||
stderr_thread.start()
|
||||
return stderr_thread
|
||||
return None
|
||||
|
|
|
|||
|
|
@ -168,6 +168,10 @@ class Container(IsolationProvider):
|
|||
) -> subprocess.Popen:
|
||||
container_runtime = container_utils.get_runtime()
|
||||
security_args = self.get_runtime_security_args()
|
||||
debug_args = []
|
||||
if self.debug:
|
||||
debug_args += ["-e", "RUNSC_DEBUG=1"]
|
||||
|
||||
enable_stdin = ["-i"]
|
||||
set_name = ["--name", name]
|
||||
prevent_leakage_args = ["--rm"]
|
||||
|
|
@ -177,14 +181,14 @@ class Container(IsolationProvider):
|
|||
args = (
|
||||
["run"]
|
||||
+ security_args
|
||||
+ debug_args
|
||||
+ prevent_leakage_args
|
||||
+ enable_stdin
|
||||
+ set_name
|
||||
+ image_name
|
||||
+ command
|
||||
)
|
||||
args = [container_runtime] + args
|
||||
return self.exec(args)
|
||||
return self.exec([container_runtime] + args)
|
||||
|
||||
def kill_container(self, name: str) -> None:
|
||||
"""Terminate a spawned container.
|
||||
|
|
|
|||
|
|
@ -71,6 +71,7 @@ class DangerzoneCore(object):
|
|||
ocr_lang,
|
||||
stdout_callback,
|
||||
)
|
||||
|
||||
except Exception:
|
||||
log.exception(
|
||||
f"Unexpected error occurred while converting '{document}'"
|
||||
|
|
|
|||
Loading…
Reference in a new issue