Kevin Wang (3) [Avatar] Offline
#1
Hi Yan,

I got a buffer overflow detected error after I run a function several times. After I removed the FunctionShield from my function, the error was gone. I used the approach you showed in the video to wrap the the function shield in a middleware. I will attach the log below. Please give me some hints about why this happens. Thank you so much.

Oh, btw, do you know whether the FunctionShield can setup a white list for some outbound internet connectivities?

The error log:

15:39:00
*** buffer overflow detected ***: /var/lang/bin/node terminated

15:39:00
======= Backtrace: =========

15:39:00
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f0f0dd33d47]

15:39:00
/lib64/libc.so.6(+0x10df00)[0x7f0f0dd31f00]

15:39:00
/lib64/libc.so.6(+0x10cecb)[0x7f0f0dd30ecb]

15:39:00
/tmp/function-shield-assets/prebuilds/linux-x64/../../lib/libfunctionshieldcore.so(functionshieldcore_configure+0xc9)[0x7f0f0b1e19f9]

15:39:00
/tmp/function-shield-assets/prebuilds/linux-x64/node-57.node(_Z9configureRKN3Nan20FunctionCallbackInfoIN2v85ValueEEE+0x1b0)[0x7f0f0b404720]

15:39:00
/tmp/function-shield-assets/prebuilds/linux-x64/node-57.node(+0x18d5)[0x7f0f0b4048d5]

15:39:00
/var/lang/bin/node(_ZN2v88internal25FunctionCallbackArguments4CallEPFvRKNS_20FunctionCallbackInfoINS_5ValueEEEE+0x16c)[0x55a31851a5bc]

15:39:00
/var/lang/bin/node(+0x905c7d)[0x55a3185a4c7d]

15:39:00
/var/lang/bin/node(_ZN2v88internal21Builtin_HandleApiCallEiPPNS0_6ObjectEPNS0_7IsolateE+0xcb)[0x55a3185a550b]
Kevin Wang (3) [Avatar] Offline
#2
Ok. Just found out the problem is the FuncShield.configure cannot be called multiple times. That is why the official demo put the FuncShield.configure out of the handler function. So, if we want to use a middleware to load the FunctionShield, a variable should be used to prevent it to be called more than once.

I hope this can help other users as well. smilie

I am still looking for whether The Function Shield can setup a whitelist for the outbound internet activities.


Update:

I just found out the middy library actually has a middleware to handle the function shield which is very convenient.
Yan Cui (71) [Avatar] Offline
#3
Ah I see. I'll report that to the Puresec folks, I was under the impression that it's safe to call configure multiple times to temporarily enable public internet access for instance.

And yes, after I told Ory Segal (Puresec CTO) about adding FunctionShield as a custom middleware in the course, someone from Puresec pushed a PR to include it as an official middleware for middy, happy days smilie