Filter dangerous environment variables before reexec#34177
Merged
Conversation
r0mant
approved these changes
Nov 2, 2023
reedloden
approved these changes
Nov 2, 2023
Contributor
Author
|
I will investigate the unit test failure tomorrow. It's not failing locally, but it seems to fail reliably in CI. |
jentfoo
force-pushed
the
jent/exec_env_filter
branch
3 times, most recently
from
90436e1 to
2af79b8
Compare
Contributor
Author
|
@r0mant and @rosstimothy, can you please re-review this fix? After finding failures in CI I had to make some additional changes. They are encompassed in the second commit on this PR |
rosstimothy
reviewed
Nov 6, 2023
This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`.
In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values.
jentfoo
force-pushed
the
jent/exec_env_filter
branch
2 times, most recently
from
1c05137 to
a44d9d0
Compare
jentfoo
force-pushed
the
jent/exec_env_filter
branch
from
f659ac0 to
9fcca89
Compare
Contributor
Author
|
I have removed the duplicate variable handling after discussing with @rosstimothy. There is still a security risk around this behavior, but he has convinced me to follow it up with a second PR to make sure we can land this one soon. |
rosstimothy
approved these changes
Nov 6, 2023
| // create a temp file with an environment in it | ||
| f, err := os.CreateTemp(t.TempDir(), "teleport-environment-") | ||
| require.NoError(t, err) | ||
| defer os.Remove(f.Name()) |
Contributor
There was a problem hiding this comment.
Note this isn't strictly necessary since the entire directory is removed at the conclusion of the test
public-teleport-github-review-bot
Bot
removed request for
Tener and
klizhentas
public-teleport-github-review-bot
Bot
removed the request for review
from zmb3
jentfoo
added a commit
that referenced
this pull request
Nov 6, 2023
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
jentfoo
added a commit
that referenced
this pull request
Nov 6, 2023
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
This was referenced Nov 6, 2023
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Nov 7, 2023
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Nov 7, 2023
* Filter dangerous environment variables before reexec This change filters potentially dangerous environment variables that could result in code execution. This seemed safest to integrate as a new struct within the `environment.go` in utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list. The environment specific logic was significant enough that the current and new logic was refactored into a new package `envutils`. * Allow the easy addition of execution environment into SafeEnv In addition this commit adds in a check to look for duplicate keys which may be attempting to overload our set values. * Apply PR Feedback and remove env duplicate handling * Apply additional PR feedback
zmb3
added a commit
that referenced
this pull request
Feb 9, 2024
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 14, 2024
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
github-actions Bot
pushed a commit
that referenced
this pull request
Feb 14, 2024
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
github-actions Bot
pushed a commit
that referenced
this pull request
Feb 14, 2024
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
github-actions Bot
pushed a commit
that referenced
this pull request
Feb 14, 2024
This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 15, 2024
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 15, 2024
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 15, 2024
* Fix TestReadEnvironmentFile on macOS This test writes sample data to a temporary file and then tries to parse it. In #34177 we disallowed reading the environment file from a symlink, but the Go utilities we use to create temp files end up using symlinks on macOS. Fix this by breaking out the core functionality such that it only requires an io.Reader instead of an os.File. * Use consistent language in log output Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes https://github.com/gravitational/teleport-private/issues/1056 by filtering potentially dangerous environment variables that could result in code execution.
This seemed safest to integrate as a new struct within the
environment.goin utils. This struct allows us to validate variables as they are built, making sure that regardless of the source we have validated them against our filter list.The environment specific logic was significant enough that the current and new logic was refactored into a new package
envutils.changelog: A
mediumseverity security fix now prevents LD_PRELOAD and other dangerous environment variables from being forwarded during re-exec