Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorize agents remoting by UUID #8877

Merged

Conversation

marques-work
Copy link
Member

Validate agent UUID during remoting requests to prevent clients from acting on behalf of other agents

Prior to this change, it was possible for an authenticated agent to act on behalf of another agent. This is a security issue because if one agent is compromised, an attacker could request work or perform other duties intended for other agents. This was possible because the UUID to perform work was sourced from the deserialized object stream and not verified to be the same UUID that was permitted by the authentication filter. Essentially, an authenticated client could request work for any arbitrary agent. This would give access to decrypted secrets for a build.

This commit introduces a custom HttpInvokerServiceExporter that validates the UUID from the X-Agent-GUID header matches the UUID from the deserialized AgentRuntimeInfo and AgentIdentifier objects and returns an appropriate error code when this validation fails.

@marques-work marques-work self-assigned this Dec 11, 2020
@marques-work marques-work added agents security Pull requests that address a security vulnerability labels Dec 11, 2020
@marques-work marques-work added this to the Release 20.11.0 milestone Dec 11, 2020
@marques-work marques-work force-pushed the authorize-agents-remoting-by-uuid branch from c3f4881 to cc1b54b Compare December 31, 2020 23:36
…acting on behalf of other agents

Prior to this change, it was possible for an authenticated agent to act on behalf of another agent.
This is a security issue because if one agent is compromised, an attacker could request work or perform
other duties intended for other agents. This was possible because the UUID to perform work was sourced
from the deserialized object stream and not verified to be the same UUID that was permitted by the
authentication filter. Essentially, an authenticated client could request work for any arbitrary agent.
This would give access to decrypted secrets for a build.

This commit introduces a custom `HttpInvokerServiceExporter` that validates the UUID from the
`X-Agent-GUID` header matches the UUID from the deserialized `AgentRuntimeInfo` and `AgentIdentifier`
objects and returns an appropriate error code when this validation fails.
@marques-work marques-work force-pushed the authorize-agents-remoting-by-uuid branch from 1702af0 to 73b8835 Compare January 1, 2021 00:30
@marques-work marques-work merged commit 3da524e into gocd:master Jan 1, 2021
6 checks passed
@maheshp maheshp added this to In progress in 21.1.0 Jan 4, 2021
@maheshp maheshp moved this from In progress to Done in 21.1.0 Jan 4, 2021
@marques-work marques-work moved this from Done to QA Done in 21.1.0 Jan 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
agents security Pull requests that address a security vulnerability
Projects
No open projects
21.1.0
QA Done
Development

Successfully merging this pull request may close these issues.

None yet

1 participant