Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Miscellaneous builder hardening #16

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Miscellaneous builder hardening #16

wants to merge 16 commits into from

Conversation

DemiMarie
Copy link
Contributor

qubes-builder-github is exposed to untrusted input from the network, so harden it a bit more.

Not tested because I am not really sure how to test this.

marmarek
marmarek requested changes Apr 3, 2022
View reviewed changes
rpc-services/qubesbuilder.TriggerBuild Outdated Show resolved Hide resolved
lib/functions.sh Outdated Show resolved Hide resolved
lib/functions.sh Outdated Show resolved Hide resolved
rpc-services/qubesbuilder.ProcessGithubCommand Show resolved Hide resolved
DemiMarie added 6 commits May 5, 2022 18:50
@DemiMarie
Strip carriage returns in the webhook
4c524e2 
This avoids having to do so in the qrexec service.
@DemiMarie
webhook: check that comment body is string
f444db4 
Avoids any potential nasties.
@DemiMarie
Limit the amount of data passed to awk
fb6af02 
Lots of exploits involve passing huge amounts of data, so impose an
arbitrary limit of 4096 bytes.
@DemiMarie
Set -o pipefail in qubesbuilder.ProcessGithubCommand
fe9d3de 
Makes errors more likely to be caught.
@DemiMarie
Note that qrexec already validates arguments
e5fca07 
Service arguments are validated by qrexec, so they can only contain a
small subset of characters.  As it happens, the only character the shell
script winds up rejecting is '.'.  The rest would have been mangled by
qrexec already.
@DemiMarie
Add check for bad characters
960829e 
They make no sense here, and they can confuse shell scripts.
@DemiMarie DemiMarie requested a review from marmarek May 5, 2022 23:01
DemiMarie added 10 commits May 5, 2022 20:21
@DemiMarie
Limit command lines to 256 bytes
97d3fff 
There is no reason for them to be longer than this.  Admittedly, this
number is arbitrary.
@DemiMarie
Restrict command to 1 line
6630b7a 
All qrexec-builder commands are 1 line.
@DemiMarie
Exit after -----END PGP SIGNATURE-----
09a7f01 
Nothing more should follow this.
@DemiMarie
Strip trailing newline in awk
358924b 
instead of using head(1) and a temporary file.
@DemiMarie
Validate command character sets
4a4f740 
Bad characters in commands could potentially confuse shell scripts, so
reject them.
@DemiMarie
Add single quotes for eval
9e505d7 
Should be a no-op because the grep command already only produces decent
characters.
@DemiMarie
Set shebang line to bash
bd90a42 
Needed for -o pipefail
@DemiMarie
Avoid stripping carriage returns in service
d478900 
They are stripped out by the webhook now.
@DemiMarie
webhook: skip everything before the signed part
b751594 
This allows the qrexec service to be stricter, parsing-wise.
@DemiMarie
Disable awk field splitting
01383a6 
Pointless attack surface
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek Awaiting requested review from marmarek

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DemiMarie @marmarek