Disable option substitution into scripts #1762

Closed
ltamaster opened this Issue Mar 23, 2016 · 5 comments

Projects

None yet

6 participants

@ltamaster
Contributor

It could be useful to be able to deactivate the feature to substitute option values into scripts with @option.foo@

This doesn't meet our security requirements, and we need to require the use of the RD_OPTION_* environment variables instead.

@plambert

+1 for this.

@solaryeti

Based on the mention of security requirements, I assume this is referring to the ability to inject code via variables. As an example, given a job with an option called foo and a script step containing the following:

#!/usr/bin/env bash
echo $RD_OPTION_FOO
echo @option.foo@

and passed "foo; ls -l /" to the foo option when running the job, you'd get the following output:

foo; ls -l /
foo
total 44
lrwxrwxrwx.   1 root    root       7 Mar 16  2016 bin -> usr/bin
dr-xr-xr-x.   4 root    root    4096 Oct  4 10:02 boot
drwxr-xr-x   19 root    root    3160 Nov  1 09:12 dev
drwxr-xr-x.  95 root    root    8192 Nov  1 09:12 etc
drwxr-xr-x.   4 root    root      33 Oct  3 09:40 home
[rest of output omitted

If so, I'd also like to either see an option to disable @option.*@ variables or to make them safe for use in scripts.

@gschueler gschueler added this to the 2.7.0 milestone Nov 1, 2016
@ahonor
Contributor
ahonor commented Nov 28, 2016

This can be a global (e.g., framework) level configuration assuming it's undesired behavior for the whole app. Curious if anybody wants this configuration flag on a per project basis.

@danifr
Contributor
danifr commented Nov 28, 2016

I do agree they can represent a security issue however it can be easily fixed if you just don't use them in your code.

Am I missing something?

@solaryeti

@ahonor I'm happy for it to be global.
@danifr Unfortunately it isn't as simple as that once you have a larger or extended group of people editing or creating jobs. As an example, I went through all our jobs a couple of weeks ago and replaced all the @option.foo@ variables for $RD_OPTION_FOO. Earlier this week I discovered someone had created a new job with @option.foo@. That's why it would be nice to either have that be shell safe in scripts or be able to disable it completely so that I don't have to be constantly watching if someone has introduced it somewhere.

@gschueler gschueler added a commit that referenced this issue Nov 29, 2016
@gschueler gschueler allow disabling inline script token substitution fix #1762
use framework.properties config:

    execution.script.tokenexpansion.enabled=false
d347eed
@gschueler gschueler added a commit that referenced this issue Nov 29, 2016
@gschueler gschueler add documentation #1762 99851c4
@gschueler gschueler added a commit that closed this issue Nov 29, 2016
@gschueler gschueler Add global setting to disable inline script token expansion (#2208)
* allow disabling inline script token substitution fix #1762

use framework.properties config:

    execution.script.tokenexpansion.enabled=false

* add documentation #1762
d352a0d
@gschueler gschueler closed this in d352a0d Nov 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment