From ed4b88166e0e7fbb0101f179db4372472852dfa4 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Fri, 15 Jun 2018 15:23:57 -0400
Subject: [PATCH] SECURITY: Remove runaway cpu/memory tests.

These should not be in the public plugin accessible via a GET. At
the very least they should require an environment variable and
CSRF protection. I'm removing them because they don't seem commonly
used.
---
 .../docker_manager/admin_controller.rb        | 24 +------------------
 config/routes.rb                              |  2 --
 lib/docker_manager/git_repo.rb                |  2 +-
 3 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/app/controllers/docker_manager/admin_controller.rb b/app/controllers/docker_manager/admin_controller.rb
index 68ddaeb..6714959 100644
--- a/app/controllers/docker_manager/admin_controller.rb
+++ b/app/controllers/docker_manager/admin_controller.rb
@@ -64,7 +64,7 @@ module DockerManager
       repo = DockerManager::GitRepo.find(params[:path])
       raise Discourse::NotFound unless repo.present?
 
-      repo.update! if Rails.env == 'production'
+      repo.update_remote! if Rails.env == 'production'
 
       render json: {
         latest: {
@@ -103,27 +103,5 @@ module DockerManager
       end
       render plain: ps_output
     end
-
-    def runaway_cpu
-      Thread.new do
-        a = 1
-        while true
-          a += 1
-        end
-      end
-      render plain: "Killing CPU on #{Process.pid}"
-    end
-
-    def runaway_mem
-      Thread.new do
-        a = []
-        while true
-          a << Array.new(50_000_000 / 8)
-          sleep 30
-        end
-      end
-      render plain: "Leaking memory on #{Process.pid}"
-    end
-
   end
 end
diff --git a/config/routes.rb b/config/routes.rb
index 0b37696..615ae98 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -7,7 +7,5 @@ DockerManager::Engine.routes.draw do
   get "admin/docker/ps" => "admin#ps", constraints: AdminConstraint.new
   post "admin/docker/upgrade" => "admin#upgrade", constraints: AdminConstraint.new
   delete "admin/docker/upgrade" => "admin#reset_upgrade", constraints: AdminConstraint.new
-  get "admin/docker/runaway_cpu" => "admin#runaway_cpu", constraints: AdminConstraint.new
-  get "admin/docker/runaway_mem" => "admin#runaway_mem", constraints: AdminConstraint.new
   get 'admin/docker/csrf' => 'admin#csrf', constraints: AdminConstraint.new
 end
diff --git a/lib/docker_manager/git_repo.rb b/lib/docker_manager/git_repo.rb
index 7611555..4fcded8 100644
--- a/lib/docker_manager/git_repo.rb
+++ b/lib/docker_manager/git_repo.rb
@@ -59,7 +59,7 @@ class DockerManager::GitRepo
     url
   end
 
-  def update!
+  def update_remote!
     `cd #{path} && git remote update`
   end