8000 feat: chalk insert lambda zip mode by mbaltrusitis · Pull Request #498 · crashappsec/chalk · GitHub

More Web Proxy on the site http://driver.im/

feat: chalk insert lambda zip mode #498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft

mbaltrusitis wants to merge 10 commits into main from mb/aws-lambda

+290 −13

Collaborator

mbaltrusitis commented

•

Followed the steps in the contributor's guide: https://crashoverride.com/docs/other/contributing#filing-the-pull-request
PR title uses semantic commit messages
Filled out the template to a useful degree
Updated CHANGELOG.md if necessary

Issue

https://app.shortcut.com/crashoverride-1/epic/4279?group_by=none&ct_workflow=all&cf_workflow=500000306

Description

Initial approach for injecting chalk binary inside of a lambda zip archive. After a round of feedback I think it'll make sense to refactor some of the zip archive operations to codecZip.nim.

to do

get initial feedback
- rename lambda to something more generic
fix executable bit issue
(potentially) refactor into codecZip.nim
update CHANGELOG

Testing

make tests args="test_lambda.py"

miki725 requested changes

View reviewed changes

src/configs/chalk.c42spec

Comment on lines +2923 to +2851

+                field lambda_mode {
+                  type:     bool
+                  default:  false
+                  shortdoc: "lambda mode"
+                  doc:      """
+              When present, inject the executed chalk binary itself in the zip
+              archive being processed upon insertion.
+              """
+                }

Collaborator

miki725

this is inherently not anything lambda specific. lets change terminology to be more generic? maybe insert_chalk_binary?

src/commands/cmd_insert.nim

Comment on lines +34 to +35

+                    var isZip = false
+                    if item.collectedData != nil and "ARTIFACT_TYPE" in item.collectedData:
+                      try:
+                        isZip = item.collectedData["ARTIFACT_TYPE"] == artTypeZip
+                      except:
+                        isZip = false
+                    if isZip:
+                      info(item.name & ": inserting binary into zip")

Collaborator

miki725

this does not belong here. it should be directly in the zip codec as you mentioned in the PR description.

chalk/src/plugins/codecZip.nim

Lines 168 to 196 in d332e41

    
           proc doZipWrite(chalk: ChalkObj, encoded: Option[string], virtual: bool) = 
        
             let 
        
               cache     = ZipCache(chalk.cache) 
        
               chalkFile = joinPath(cache.tmpDir, "contents", zipChalkFile) 
        
             var dirToUse: string 
        
             # need to close FD to be able to overwite the file 
        
             closeFileStream(chalk.fsRef) 
        
             try: 
        
               if encoded.isSome(): 
        
                 if not tryToWriteFile(chalkFile, encoded.get()): 
        
                   raise newException(OSError, chalkFile & ": could not write file") 
        
                 dirToUse = joinPath(cache.tmpDir, "contents") 
        
               else: 
        
                 dirToUse = joinPath(cache.tmpDir, "hash") 
        
               let newArchive = ZipArchive() 
        
               newArchive.addDir(dirToUse & "/") 
        
               if not virtual: 
        
                 newArchive.writeZipArchive(chalk.fsRef) 
        
               chalk.cachedHash = newArchive.hashZip() 
        
             except: 
        
               error(chalkFile & ": " & getCurrentExceptionMsg()) 
        
               dumpExOnDebug() 
        
           proc zipHandleWrite*(self: Plugin, chalk: ChalkObj, encoded: Option[string]) 
        
                              {.cdecl.} = 
        
             chalk.doZipWrite(encoded, virtual = false)

it already unpacks the zip file in there. we just need to add the chalk binary in there in-place

src/commands/cmd_insert.nim Outdated Show resolved Hide resolved

tests/functional/test_lambda.py Outdated Show resolved Hide resolved

tests/functional/chalk/runner.py Outdated Show resolved Hide resolved

tests/functional/test_lambda.py

Comment on lines +83 to +86

+              def test_lambda_insert_empty_zip(
+                  tmp_data_dir: Path,
+                  chalk: Chalk,
+              ):
+                  """Test `chalk insert --lambda` on an empty zip file.
+                  Empty zip files should be handled gracefully - the command should
+                  complete with exit code 0 but no chalk marks should be created.
+                  """
+                  # Run chalk insert with the --lambda
+                  insert = chalk.insert(
+                      artifact=tmp_data_dir,

Collaborator

miki725

😕 description does not matchwhat the test case does. it runs on empty empty folder which is not related to empty zip files

tests/functional/test_lambda.py Outdated

Comment on lines 103 to 99

+                  assert (
+                      "_CHALKS" not in insert.report
+                  ), "No chalks should be created for empty zip file"
+                  assert (
+                      "_OP_CHALK_COUNT" in insert.report and insert.report["_OP_CHALK_COUNT"] == 0
+                  ), "Chalk count should be 0"

Collaborator

miki725

these are already handled by these options:

chalk/tests/functional/chalk/runner.py

Lines 433 to 434 in d332e41

    
           expecting_report: bool = True, 
        
           expecting_chalkmarks: bool = True,

they will assert appropriate values in the report are present

tests/functional/test_lambda.py Outdated

+                  verify_chalk_mark_added(insert, test_file)
+                  # Now extract and verify we can read the chalk mark
+                  extract = chalk.extract(artifact=tmp_data_dir, ignore_errors=True)

Collaborator

miki725

why ignore errors? this should only be used for commands where we legitimately expect errors such as trying to load bad chalk config in tests

tests/functional/test_lambda.py

Comment on lines +143 to +133

+                  # chalk_binary_path = tmp_data_dir / "chalk"
+                  # Verify ZIP artifact type is detected
+                  for mark in extract.marks:
+                      assert mark.has(ARTIFACT_TYPE="ZIP"), "ZIP artifact type not detected"

Collaborator

miki725

this is already tested by extract util

chalk/tests/functional/chalk/runner.py

Lines 494 to 500 in d332e41

    
           if Path(artifact).exists() and expecting_chalkmarks: 
        
               for path, chalk in result.marks_by_path.items(): 
        
                   assert chalk.has( 
        
                       ARTIFACT_TYPE=artifact_type(Path(path)), 
        
                       PLATFORM_WHEN_CHALKED=result.report["_OP_PLATFORM"], 
        
                       INJECTOR_COMMIT_ID=result.report["_OP_CHALKER_COMMIT_ID"], 
        
                   )

tests/functional/test_lambda.py Outdated

+                  ],
+                  indirect=True,
+              )
+              def test_lambda_with_other_zip_formats(

Collaborator

miki725

not following intent here?

if we want chalk to be able to support multiple zip formats, we should just have a single test case with parametrize inputs which will run the test case on all the variants. from the test case perspective it should not matter how zip was created

mbaltrusitis added 9 commits

March 25, 2025 12:53


          docs: formatting

14da193


          refactor: remove extra newline

d54e556


          feat: add chalk insert '--lambda' flag

a8b7e05


          test: add params to chalk insert runner

5d5298e


          feat: add serverless zip mode

559012c


          refactor: create new lambda_mode param over passing params string

3fcbf39


          refactor: clarify name of test


          refactor: move chalk insertion to zip codec module

ed3df0c


          wip: test updates

5781aa5

mbaltrusitis force-pushed the mb/aws-lambda branch from b976cf9 to 5781aa5 Compare

April 2, 2025 14:06


          wip: test fixes

937d324

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

0