🔒 security(healthcheck): harden HTTPS probe against shell injection by replacing popen with direct fork/exec

- Drop popen()/FILE stream approach that relied on shell command interpolation
- Locate openssl binary explicitly from known paths via access() probe
- Fork/exec with pipes, poll-driven I/O, SIGPIPE handling, and explicit child cleanup
- Add popen-blocker test that verifies the probe still succeeds when popen() is unavailable

Author: s-b-e-n-s-o-n

app/healthcheck.binary.test.ts

@@ -54,6 +54,71 @@ async function runProbe(binaryPath: string, port: number, env: NodeJS.ProcessEnv
   });
 }
 
+function compilePopenBlocker(sourcePath: string, libraryPath: string) {
+  const source =
+    process.platform === 'darwin'
+      ? [
+          '#include <errno.h>',
+          '#include <stdio.h>',
+          '',
+          '#define DYLD_INTERPOSE(_replacement, _replacee) \\',
+          '  __attribute__((used)) static struct { \\',
+          '    const void *replacement; \\',
+          '    const void *replacee; \\',
+          '  } _interpose_##_replacee \\',
+          '    __attribute__((section("__DATA,__interpose"))) = { \\',
+          '      (const void *)(unsigned long)&_replacement, \\',
+          '      (const void *)(unsigned long)&_replacee \\',
+          '    };',
+          '',
+          'static FILE *block_popen(const char *command, const char *type) {',
+          '  (void)command;',
+          '  (void)type;',
+          '  errno = EPERM;',
+          '  return NULL;',
+          '}',
+          '',
+          'DYLD_INTERPOSE(block_popen, popen);',
+          '',
+        ].join('\n')
+      : [
+          '#include <errno.h>',
+          '#include <stdio.h>',
+          '',
+          'FILE *popen(const char *command, const char *type) {',
+          '  (void)command;',
+          '  (void)type;',
+          '  errno = EPERM;',
+          '  return NULL;',
+          '}',
+          '',
+        ].join('\n');
+
+  fs.writeFileSync(sourcePath, source);
+
+  const args =
+    process.platform === 'darwin'
+      ? ['-dynamiclib', sourcePath, '-o', libraryPath]
+      : ['-shared', '-fPIC', sourcePath, '-o', libraryPath];
+
+  execFileSync('cc', args, { stdio: 'ignore' });
+}
+
+function withPopenBlocked(env: NodeJS.ProcessEnv, libraryPath: string): NodeJS.ProcessEnv {
+  if (process.platform === 'darwin') {
+    return {
+      ...env,
+      DYLD_FORCE_FLAT_NAMESPACE: '1',
+      DYLD_INSERT_LIBRARIES: libraryPath,
+    };
+  }
+
+  return {
+    ...env,
+    LD_PRELOAD: libraryPath,
+  };
+}
+
 const probeHandler: http.RequestListener = (req, res) => {
   if (req.url === '/health') {
     res.writeHead(200, { 'content-type': 'application/json' });
@@ -69,6 +134,11 @@ describe('/bin/healthcheck compatibility', () => {
   const binaryPath = path.join(tempDir, 'healthcheck');
   const keyPath = path.join(tempDir, 'key.pem');
   const certPath = path.join(tempDir, 'cert.pem');
+  const popenBlockerSourcePath = path.join(tempDir, 'block-popen.c');
+  const popenBlockerLibraryPath = path.join(
+    tempDir,
+    process.platform === 'darwin' ? 'block-popen.dylib' : 'block-popen.so',
+  );
   const sourcePath = path.resolve(import.meta.dirname, '..', 'healthcheck.c');
 
   beforeAll(() => {
@@ -93,6 +163,7 @@ describe('/bin/healthcheck compatibility', () => {
       { stdio: 'ignore' },
     );
     execFileSync('cc', ['-Os', sourcePath, '-o', binaryPath], { stdio: 'ignore' });
+    compilePopenBlocker(popenBlockerSourcePath, popenBlockerLibraryPath);
   });
 
   afterAll(() => {
@@ -127,4 +198,30 @@ describe('/bin/healthcheck compatibility', () => {
       await close(server);
     }
   });
+
+  test('succeeds against HTTPS without relying on popen()', async () => {
+    const server = https.createServer(
+      {
+        key: fs.readFileSync(keyPath),
+        cert: fs.readFileSync(certPath),
+      },
+      probeHandler,
+    );
+
+    const port = await listen(server);
+    try {
+      expect(
+        await runProbe(
+          binaryPath,
+          port,
+          withPopenBlocked(
+            { ...process.env, DD_SERVER_TLS_ENABLED: 'true' },
+            popenBlockerLibraryPath,
+          ),
+        ),
+      ).toBe(0);
+    } finally {
+      await close(server);
+    }
+  });
 });

healthcheck.c

@@ -11,8 +11,13 @@
  */
 
 #include <sys/time.h>
+#include <sys/wait.h>
 #include <arpa/inet.h>
+#include <errno.h>
+#include <fcntl.h>
 #include <netinet/in.h>
+#include <poll.h>
+#include <signal.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -37,30 +42,194 @@ static int is_tls_enabled(void) {
     return value != NULL && (strcasecmp(value, "true") == 0 || strcmp(value, "1") == 0);
 }
 
-static int probe_https(int port) {
-    char cmd[BUF_SIZE * 2];
-    snprintf(
-        cmd,
-        sizeof(cmd),
-        "printf 'GET /health HTTP/1.0\\r\\nHost: localhost\\r\\n\\r\\n' | "
-        "openssl s_client -quiet -connect 127.0.0.1:%d -servername localhost 2>/dev/null",
-        port
-    );
-
-    FILE *fp = popen(cmd, "r");
-    if (!fp)
+static const char *find_openssl_binary(void) {
+    static const char *candidates[] = {
+        "/usr/bin/openssl",
+        "/bin/openssl",
+        "/usr/local/bin/openssl",
+        "/opt/homebrew/bin/openssl",
+        NULL,
+    };
+
+    for (size_t i = 0; candidates[i] != NULL; i++) {
+        if (access(candidates[i], X_OK) == 0)
+            return candidates[i];
+    }
+
+    return NULL;
+}
+
+static int wait_for_fd(int fd, short events) {
+    struct pollfd pfd = {
+        .fd = fd,
+        .events = events,
+    };
+
+    while (1) {
+        int rc = poll(&pfd, 1, TIMEOUT_SEC * 1000);
+        if (rc > 0) {
+            if ((pfd.revents & (POLLERR | POLLNVAL)) != 0)
+                return 1;
+
+            short ready_events = events;
+            if ((events & POLLIN) != 0)
+                ready_events |= POLLHUP;
+
+            return (pfd.revents & ready_events) != 0 ? 0 : 1;
+        }
+
+        if (rc == 0)
+            return 1;
+
+        if (errno != EINTR)
+            return 1;
+    }
+}
+
+static int write_all(int fd, const char *buf, size_t len) {
+    size_t written = 0;
+
+    while (written < len) {
+        if (wait_for_fd(fd, POLLOUT) != 0)
+            return 1;
+
+        ssize_t n = write(fd, buf + written, len - written);
+        if (n > 0) {
+            written += (size_t)n;
+            continue;
+        }
+
+        if (n < 0 && errno == EINTR)
+            continue;
+
         return 1;
+    }
+
+    return 0;
+}
 
+static int write_all_without_sigpipe(int fd, const char *buf, size_t len) {
+    void (*previous)(int) = signal(SIGPIPE, SIG_IGN);
+    int rc = write_all(fd, buf, len);
+    signal(SIGPIPE, previous);
+    return rc;
+}
+
+static int read_http_status_line(int fd) {
     char buf[BUF_SIZE];
-    int status = 0;
-    while (fgets(buf, sizeof(buf), fp)) {
-        if (strncmp(buf, "HTTP/", 5) == 0) {
-            status = parse_http_status(buf);
+    size_t used = 0;
+
+    while (used < sizeof(buf) - 1) {
+        if (wait_for_fd(fd, POLLIN) != 0)
+            return 0;
+
+        ssize_t n = read(fd, buf + used, sizeof(buf) - 1 - used);
+        if (n > 0) {
+            used += (size_t)n;
+            buf[used] = '\0';
+
+            char *status_line = strstr(buf, "HTTP/");
+            if (status_line != NULL)
+                return parse_http_status(status_line);
+
+            continue;
+        }
+
+        if (n == 0)
+            break;
+
+        if (errno != EINTR)
             break;
+    }
+
+    return 0;
+}
+
+static void terminate_child(pid_t pid) {
+    if (pid <= 0)
+        return;
+
+    kill(pid, SIGKILL);
+    waitpid(pid, NULL, 0);
+}
+
+static int probe_https(int port) {
+    const char *openssl_binary = find_openssl_binary();
+    if (openssl_binary == NULL)
+        return 1;
+
+    char connect_arg[32];
+    int connect_len = snprintf(connect_arg, sizeof(connect_arg), "127.0.0.1:%d", port);
+    if (connect_len <= 0 || connect_len >= (int)sizeof(connect_arg))
+        return 1;
+
+    int stdin_pipe[2] = {-1, -1};
+    int stdout_pipe[2] = {-1, -1};
+    pid_t pid = -1;
+    int status = 0;
+
+    if (pipe(stdin_pipe) < 0 || pipe(stdout_pipe) < 0)
+        goto cleanup;
+
+    pid = fork();
+    if (pid < 0)
+        goto cleanup;
+
+    if (pid == 0) {
+        int devnull = open("/dev/null", O_WRONLY);
+        if (
+            dup2(stdin_pipe[0], STDIN_FILENO) < 0 || dup2(stdout_pipe[1], STDOUT_FILENO) < 0 ||
+            (devnull >= 0 && dup2(devnull, STDERR_FILENO) < 0)
+        ) {
+            _exit(127);
         }
+
+        close(stdin_pipe[0]);
+        close(stdin_pipe[1]);
+        close(stdout_pipe[0]);
+        close(stdout_pipe[1]);
+        if (devnull >= 0)
+            close(devnull);
+
+        char *const argv[] = {
+            (char *)openssl_binary,
+            "s_client",
+            "-quiet",
+            "-connect",
+            connect_arg,
+            "-servername",
+            "localhost",
+            NULL,
+        };
+        execv(openssl_binary, argv);
+        _exit(127);
     }
 
-    pclose(fp);
+    close(stdin_pipe[0]);
+    stdin_pipe[0] = -1;
+    close(stdout_pipe[1]);
+    stdout_pipe[1] = -1;
+
+    const char *req = "GET /health HTTP/1.0\r\nHost: localhost\r\n\r\n";
+    if (write_all_without_sigpipe(stdin_pipe[1], req, strlen(req)) != 0)
+        goto cleanup;
+
+    close(stdin_pipe[1]);
+    stdin_pipe[1] = -1;
+
+    status = read_http_status_line(stdout_pipe[0]);
+
+cleanup:
+    if (stdin_pipe[0] >= 0)
+        close(stdin_pipe[0]);
+    if (stdin_pipe[1] >= 0)
+        close(stdin_pipe[1]);
+    if (stdout_pipe[0] >= 0)
+        close(stdout_pipe[0]);
+    if (stdout_pipe[1] >= 0)
+        close(stdout_pipe[1]);
+    terminate_child(pid);
+
     return (status >= 200 && status <= 299) ? 0 : 1;
 }