-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter dangerous environment variables before reexec #34177
Conversation
|
I will investigate the unit test failure tomorrow. It's not failing locally, but it seems to fail reliably in CI. |
90436e1
to
2af79b8
Compare
|
@r0mant and @rosstimothy, can you please re-review this fix? After finding failures in CI I had to make some additional changes. They are encompassed in the second commit on this PR |
This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`.
In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values.
1c05137
to
a44d9d0
Compare
f659ac0
to
9fcca89
Compare
|
I have removed the duplicate variable handling after discussing with @rosstimothy. There is still a security risk around this behavior, but he has convinced me to follow it up with a second PR to make sure we can land this one soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jentfoo!
| // create a temp file with an environment in it | ||
| f, err := os.CreateTemp(t.TempDir(), "teleport-environment-") | ||
| require.NoError(t, err) | ||
| defer os.Remove(f.Name()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note this isn't strictly necessary since the entire directory is removed at the conclusion of the test
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This PR fixes https://github.com/gravitational/teleport-private/issues/1056 by filtering potentially dangerous environment variables that could result in code execution.
This seemed safest to integrate as a new struct within the
environment.goin utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list.The environment specific logic was significant enough that the current and new logic was refactored into a new package
envutils.changelog: A
mediumseverity security fix now prevents LD_PRELOAD and other dangerous environment variables from being forwarded during re-exec