Insecure and very expensive search for SSH executable #1
Comments
|
Do you really think this is much of an issue? First explicit config in agent properties is checked, Only if all those failed, the extensive filesystem search is done to have as much out-of-the-box works as possible. So if this plugin is used in an unsafe environment, like building PRs from arbitrary people, |
Yes it is. Both security and performance are an issue here.
So basically it will be done on any Windows or not Unix like platform. Also it will be done each time in case of cloud agents on such platforms and it will slow down the agent startup dramatically.
Unfortunately users only look into the logs if something does not work, and even in this case they prefer to send logs to us, JetBrains.
You assume that users know and understand consequences of the file system scan. If all of us were so precautios security vulnerabilities would not be so important. Usually nobody thinks that some malicious code can be executed on their agents and can steal their private SSH keys. So yes, security concern is quite big here. We probably will need to add a noticeable security warning on the plugin page description to warn users about it until the issue is fixed. |
Imho not in the usual case, but ok.
I don't think so, because I expect the users of this plugin actually knowing what they do. And on any Windows or not Unix like platform, the search will most probably not find any
There is no need to threaten me with consequences. :-/ I didn't say I don't do something, I just asked a question. As I have the code already, what would you think if the behavior could be enabled by an agent configuration property and in the documentation for that property of course a prominent hint about security implications. Would that be acceptable? I doubt anyone will activate it, but I have the code in place already, so it wouldn't need much effort to keep it optionally. |
These days it may not be like this for Windows. Windows now allows installing SSH server, also ssh client comes with Git. So some SSH executable can be found, but it can take a lot of time to locate it.
I am sorry it sounded like this, I did not know how to formulate it better as English is not my first language. I just wanted to say that we have to put a warning if we think there can be security issues with the plugin. Then it's up to a user to decide whether they want to use it or not. I am not talking about a warning like: we think this plugin is insecure, don't use it. There'd be an explanation under what circumstances there can be problems.
This would be perfectly fine. With our options we often have so called "auto" mode, if property is set to some "auto" value, then we perform automatic computations, otherwise we treat it as is. |
On non-linux build agents it is likely that the file tree search is done. This means a serious performance hit for build agent startup and a big security issue if you run untrusted builds. Due to that now you have to explicitly configure the SSH executable to 'auto' to enable the file tree scan if you really want it.
|
@pavelsher can you tell me how I edit the update notes in the plugin portal? |
It seems plugin does quite expensive search of an SSH executable on the agent. Seems it scans all agent files for presence of it and then uses the first found SSH executable. Not only this is a very expensive in terms of agent resources, but it also imposes a big security risk. Imagine there was a malicious build on this agent which left some SSH executable in checkout directory. If this SSH will be found, then it can steal private key of another build which uses SSH tunner build feature.
I'd recommend to avoid full scan searches altoghether and rely on either configuration or search for SSH in a well known places where it could be installed by a user with sysadmin permissions.
The text was updated successfully, but these errors were encountered: