Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WASM extensions filter #2946

Open
szuecs opened this issue Feb 19, 2024 · 5 comments
Open

WASM extensions filter #2946

szuecs opened this issue Feb 19, 2024 · 5 comments

Comments

@szuecs
Copy link
Member

szuecs commented Feb 19, 2024

Is your feature request related to a problem? Please describe.

I want to have a WASM extension filter to execute safely custom code from users.

Describe the solution you would like

A filter wasm("https://wasm-src.example") would fetch at start the wasm bundle from the given URL. It should run as part of the filter execution. Updating the wasm bundle should be able to achieve in a background goroutine if possible.

some libraries that could help loading WASM:

Describe alternatives you've considered (optional)

We have lua as script filter extension already, but this has access to filesystem support and it's not easy to disable and such that to secure the runtime from users that can change routes. Users that are able to change routes like kubernetes ingress objects are not having full skipper runtime permissions but with lua they could get this.

@AlexanderYastrebov
Copy link
Member

AlexanderYastrebov commented Feb 19, 2024

Fetching wasm from remote would be the fastest way to pwn skipper :)

I think the trickiest part would be to define filter context interface between go and wasm.

@szuecs
Copy link
Member Author

szuecs commented Feb 19, 2024

Fetching wasm from remote would be the fastest way to pwn skipper :)

What's different to lua and why do you think that wasm will be less safe to execute?
IIRC WASM tries to be ok to run from an hostile environment.

I think the trickiest part would be to define filter context interface between go and wasm.

yes of course!
I just wanted to check out how the first step could look like.

@AlexanderYastrebov
Copy link
Member

@szuecs
Copy link
Member Author

szuecs commented Feb 20, 2024

This Awesome project as a list of abandoned projects (at least the Go versions are not all maintained) and what we need is a proper runtime to host in Go, which reduces the amount of projects we can use.
I am not sure if every runtime can run any created wasm binary (do they call it binary?) but that's what I suppose to be the case.

@szuecs
Copy link
Member Author

szuecs commented Feb 23, 2024

I read https://github.com/tetratelabs/proxy-wasm-go-sdk docs and scrolled a bit their code, examples and overview. For me it seems very "generic" to fit envoy proxy. As also the overview docs show. I think this project is not a good fit to use for a wasm filter in skipper. Envoy creates on VM per Thread and use thread-local memory, they also seem to work on the base http stream api and therefore you have a very low level style of work, which is not necessary in our case. Maybe we can see how to use Go interfaces and something like a table (thinking of the lua table in skipper) to pass around the data that you would need to allow to access from a filter (FilterContext like thing).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants