Merge branch 'main' into f-executeTemplate-denylist

hashicorp · Nov 22, 2024 · 70d6c22 · 70d6c22
2 parents 92a39d5 + 368241d
commit 70d6c22
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 6 deletions.
diff --git a/.changelog/24540.txt b/.changelog/24540.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: Added more host environment variables to the default deny list for tasks
+```
diff --git a/command/agent/host/host.go b/command/agent/host/host.go
@@ -96,12 +96,16 @@ func environment() map[string]string {
 // Update https://developer.hashicorp.com/nomad/docs/configuration/client#env-denylist
 // whenever this is changed.
 var DefaultEnvDenyList = []string{
-	"CONSUL_TOKEN",
-	"CONSUL_HTTP_TOKEN",
-	"VAULT_TOKEN",
-	"NOMAD_LICENSE",
-	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-	"GOOGLE_APPLICATION_CREDENTIALS",
+	// product tokens
+	"CONSUL_TOKEN", "CONSUL_HTTP_TOKEN", "CONSUL_HTTP_TOKEN_FILE", "NOMAD_TOKEN", "VAULT_TOKEN",
+	// licenses
+	"CONSUL_LICENSE", "NOMAD_LICENSE", "VAULT_LICENSE",
+	// license paths
+	"CONSUL_LICENSE_PATH", "NOMAD_LICENSE_PATH", "VAULT_LICENSE_PATH",
+	// AWS sensitive variables
+	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AWS_METADATA_URL",
+	// GCP sensitive variables
+	"GOOGLE_APPLICATION_CREDENTIALS", "GOOGLE_OAUTH_ACCESS_TOKEN",
 }
 
 // makeEnvRedactSet creates a set of well known environment variables that should be

diff --git a/command/agent/host/host_test.go b/command/agent/host/host_test.go
@@ -25,6 +25,8 @@ func TestMakeHostData(t *testing.T) {
 	t.Setenv("BOGUS_TOKEN", "foo")
 	t.Setenv("BOGUS_SECRET", "foo")
 	t.Setenv("ryanSECRETS", "foo")
+	t.Setenv("CONSUL_LICENSE_PATH", "foo")
+	t.Setenv("AWS_ACCESS_KEY_ID", "foo")
 
 	host, err := MakeHostData()
 	must.NoError(t, err)
@@ -38,4 +40,6 @@ func TestMakeHostData(t *testing.T) {
 	must.Eq(t, "<redacted>", host.Environment["BOGUS_TOKEN"])
 	must.Eq(t, "<redacted>", host.Environment["BOGUS_SECRET"])
 	must.Eq(t, "<redacted>", host.Environment["ryanSECRETS"])
+	must.Eq(t, "<redacted>", host.Environment["CONSUL_LICENSE_PATH"])
+	must.Eq(t, "<redacted>", host.Environment["AWS_ACCESS_KEY_ID"])
 }
diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx
@@ -304,12 +304,21 @@ see the [drivers documentation](/nomad/docs/drivers).
   ```text
   CONSUL_TOKEN
   CONSUL_HTTP_TOKEN
+  CONSUL_HTTP_TOKEN_FILE
+  NOMAD_TOKEN
   VAULT_TOKEN
+  CONSUL_LICENSE
   NOMAD_LICENSE
+  VAULT_LICENSE
+  CONSUL_LICENSE_PATH
+  NOMAD_LICENSE_PATH
+  VAULT_LICENSE_PATH
   AWS_ACCESS_KEY_ID
   AWS_SECRET_ACCESS_KEY
   AWS_SESSION_TOKEN
+  AWS_METADATA_URL
   GOOGLE_APPLICATION_CREDENTIALS
+  GOOGLE_OAUTH_ACCESS_TOKEN
   ```
 
 - `"user.denylist"` `(string: see below)` - Specifies a comma-separated

diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -15,11 +15,18 @@ used to document those details separately from the standard upgrade flow.
 
 ## Nomad 1.9.4
 
+#### Security updates to default deny lists
+
 In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as
 a measure to prevent accidental or malicious infinitely recursive execution.
 Users that require `executeTemplate` should update their
 [configuration](/nomad/docs/job-specification/template#function_denylist).
 
+Additionally, the [default client env deny
+list](/nomad/docs/configuration/client#env-denylist) includes more environment
+variables. Users who need some of these secure environment variables passed to
+their tasks should consult the list and overwrite it in the configuration.
+
 ## Nomad 1.9.3
 
 In Nomad 1.9.3, the mechanism used for calculating when objects are eligible