Python Function - Killing

I am writing a server base for a conceptual problem that can be posted on some CTF issues. It will be hosted on Ubuntu 12.04 LTS, nginx 1.1.19 and uWSGI 1.0.3-debian, which will handle Python 2.7.3.

The challenge is to use JavaScript loaded in competitors' browsers to initiate a function defined by PyV8 runThis() by successfully entering a function call like XSS. The Python script described below will work as CGI and check the participants' input with PyV8, evaluating whether XSS succeeded or not.

However, the problem is that this Python script is vulnerable to a DoS attack (I believe that some participants can supply this script with "while (1) {}")

I want to deal with this by setting a timeout on evalJavaScript() , so I tried to make a decision that uses SIGALRM from https://stackoverflow.com/a/97722/ ... of this link, but it does not work.

Here is the concept code (greatly simplified so as not to be distracted too much by the game and focus on the current timeout problem):

 #!/usr/bin/env python import PyV8 import cgi, cgitb import signal from contextlib import contextmanager # Timeout handler class TimeoutException(Exception): pass @contextmanager def time_limit(seconds): def timeout(signum, frame): raise TimeoutException, "Timed out!" signal.signal(signal.SIGALRM, timeout) signal.alarm(seconds) try: yield finally: signal.alarm(0) # end Timeout handler # check JavaScript class Global(PyV8.JSClass): def runThis(self): print "You have called this function via JavaScript." def evalJavaScript(post_data): try: ctxt = PyV8.JSContext(Global()) ctxt.enter() ctxt.eval(post_data) ctxt.leave() except Exception, e: print e print "Perhaps syntax error? Try again!" # end JavaScript # CGI form = cgi.FieldStorage() print 'Content-type: text/html' print try: with time_limit(5): evalJavaScript(form.getvalue('javascript')) except TimeoutException, msg: print "Timed out!" # end CGI 

• URL: http://localhost/validation.py?javascript=runThis()

  • Result: "You called this function using JavaScript."

• URL: http://localhost/validation.py?javascript=while(1){}

  • Result: Nginx timeout while the Python script continues to run at 100% CPU usage. I also released kill -ALRM ${pid} for the process, but it had no effect on it.

I also tested a very small script that worked.

 import signal from time import sleep def main(): while 1: sleep(1) print "main" def timeout_handler(signum, frame): raise Exception signal.signal(signal.SIGALRM, timeout_handler) signal.alarm(10) try: main() except: print "whoops" 

Below are the links that I have looked so far:

• Multiprocessing
• You have a function if a certain condition is not met on time
• Python timeout function, timeout less than a second
• Function Call Timeout
• Timeout function using streaming in python not working
• Python server that closes after a while of inactivity
• Multiple sub-processes with timeouts
• How to limit the execution time of a function call in Python How to interrupt / stop / close a hanging multi-threaded python
• http://docs.python.org/2/library/multiprocessing.html
• http://pguides.net/python-tutorial/python-timeout-a-function/

Could you give me a hint about what I'm doing wrong or, better yet, suggest a better way to solve anti-DoS?