Support wildcard domains

[jauderho]

Microsoft publishes container images on mcr.microsoft.com for example. mcr.microsoft.com/dotnet/sdk:7.0

However, when building a Docker image using Github Actions, it appears that mcr.micrsoft.com resolves to multiple regions across different runs.

Observed:

• westus.data.mcr.microsoft.com
• westcentralus.data.mcr.microsoft.com

So instead of having to slowly track and whitelist individual regions, I'm hoping that you can just allowlist *.mcr.microsoft.com

[varunsh-coder]

Hi @jauderho, can you please share a link to a workflow where you observed this? Thanks!

[jauderho]

Interesting, harden-runner does not actually capture the subdomain in the harden-runner output: https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/3965278228

But this can be see in the GHA output: https://github.com/jauderho/dockerfiles/actions/runs/3965278228/jobs/6794861825#step:20:51

This is for a successful run where mcr.microsoft.com resolves to eastus.mcr.microsoft.com

[jauderho]

This is for an unsuccessful run. I just enabled telemetry and set to block.

• https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/3965404061
• https://github.com/jauderho/dockerfiles/actions/runs/3965404061/jobs/6795095110#step:20:81

As you can see from the harden-runner output, only mcr.microsoft.com shows up in the recommended policy for allowed-endpoints but not eastus.data.mcr.microsoft.com.

[sozercan]

seeing the same issue after changing egress policy to block while allowlisting mcr.microsoft.com

https://github.com/Azure/eraser/actions/runs/4028112467/jobs/6924673782#step:10:31

[varunsh-coder]

Thanks for reporting, @sozercan! It looks like MCR decides at runtime what location to pull from.

Investigating this issue is in the backlog and we will get to it soon.

@h0x0er please investigate this next. Thanks!

[h0x0er]

@varunsh-coder, I found that mcr.microsoft.com is used for content-discovery, whereas in order to download image blobs various region specific content-delivery endpoints are used.

The structure of content-delivery endpoints is <region>.data.mcr.microsoft.com. List of regions can be found here.

On executing the below command you will notice; a call to content-discovery endpoints redirects to region specific content-delivery endpoint.

curl https://mcr.microsoft.com/v2/dotnet/aspnet/blobs/sha256:ac9a37082c6dec16dd5bd45d54a08f2e479d37222f2732f5b464e9dd5d454f0a

Ref:

1. https://github.com/microsoft/containerregistry/blob/main/client-firewall-rules.md
2. https://github.com/microsoft/containerregistry/blob/main/docs/mcr-endpoints-guidance.md

[varunsh-coder]

I have updated the title to a more generic feature - Support wildcard domains.

[varunsh-coder]

@h0x0er is working on implementing this feature. We plan to release it in two week. I will share rc build to try out in a few days.

[varunsh-coder]

This feature is now available on the rc tag. Here are a couple of examples. Please try it out and let me know if you have any feedback or questions.

https://github.com/harden-runner-canary/secure-repo-1/blob/166fc181bd964106b97a7dfe5fb13c94b4f20d9d/.github/workflows/release.yml#L23

https://github.com/harden-runner-canary/nvm/blob/72beb77f654e5cdbfa5f259f36eec20f2ca95493/.github/workflows/lint.yml#L32

[varunsh-coder]

This has been released in v2.4.0
https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#support-for-wildcard-domains