Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate interface name passed in ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME #4275

Merged
merged 1 commit into from
Sep 14, 2024
Merged

Validate interface name passed in ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME #4275

merged 1 commit into from
Sep 14, 2024

Conversation

sparrc
Copy link
Contributor

@sparrc sparrc commented Aug 8, 2024
edited
Loading

Summary

ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME allows system administrators to input an interface name in the ecs.config file. This user input is then passed into an exec iptables command here:

amazon-ecs-agent/ecs-init/exec/iptables/iptables.go

Lines 206 to 222 in 4480f9d

func getBlockIntrospectionOffhostAccessInputChainArgs() []string {
return []string{
"INPUT",
"-p", "tcp",
"-i", defaultOffhostIntrospectionInterface,
"--dport", agentIntrospectionServerPort,
"-j", "DROP",
}
}
func getOffhostIntrospectionInterface() (string, error) {
s := os.Getenv(offhostIntrospectonAccessInterfaceEnv)
if s != "" {
return s, nil
}
return getDefaultNetworkInterfaceIPv4()
}

ecs.config is a protected file that only the root user has write access to, so the threat is limited. But we should still validate that this is a valid linux interface name anyways, so that this env var cannot be used to inject an unexpected command into the middle of this iptables command.

Testing

New tests cover the changes: yes

Description for the changelog

Enhancement: Validate ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME is a valid interface name.

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sparrc sparrc requested a review from a team as a code owner August 8, 2024 18:02
singholt
singholt reviewed Aug 8, 2024
View reviewed changes
ecs-init/exec/iptables/iptables.go Outdated Show resolved Hide resolved
ecs-init/exec/iptables/iptables.go Outdated Show resolved Hide resolved
@sparrc sparrc force-pushed the ifname branch 3 times, most recently from 721a74a to eeb3928 Compare August 8, 2024 19:29
@sparrc sparrc added the bot/test label Aug 8, 2024
@sparrc sparrc added the bot/test label Aug 9, 2024
@sparrc sparrc force-pushed the ifname branch 2 times, most recently from 29e82d4 to 0c3276d Compare September 13, 2024 17:15
@sparrc sparrc merged commit b02155d into aws:dev Sep 14, 2024
40 checks passed
@Yiyuanzzz Yiyuanzzz mentioned this pull request Sep 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danehlim danehlim danehlim approved these changes

@singholt singholt singholt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sparrc @singholt @danehlim @amazon-ecs-bot