From ff318432f3ebc9d6a197ce481fc874112a1f7000 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:54:25 +0100 Subject: [PATCH 1/4] security: add CT executeTemplate to default function_denylist --- client/config/config.go | 2 +- website/content/docs/job-specification/template.mdx | 6 ++++-- website/content/docs/upgrade/upgrade-specific.mdx | 7 +++++++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/client/config/config.go b/client/config/config.go index 89bb0a0a956..4571cc4da12 100644 --- a/client/config/config.go +++ b/client/config/config.go @@ -73,7 +73,7 @@ var ( DefaultTemplateMaxStale = 87600 * time.Hour - DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"} + DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"} ) // RPCHandler can be provided to the Client if there is a local server diff --git a/website/content/docs/job-specification/template.mdx b/website/content/docs/job-specification/template.mdx index 2866a74ec43..7ab366fa232 100644 --- a/website/content/docs/job-specification/template.mdx +++ b/website/content/docs/job-specification/template.mdx @@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options): - `function_denylist` `([]string: ["plugin"])` - Specifies a list of template rendering functions that should be disallowed in job specs. By default, the - `plugin` function is disallowed as it allows running arbitrary commands on - the host as root (unless Nomad is configured to run as a non-root user). + `plugin` function is disallowed as it allows running arbitrary commands on the + host as root (unless Nomad is configured to run as a non-root user), + `executeTemplate` is disallowed to prevent accidental or malicious infinitely + recursive execution, and `writeToFile` is disallowed. - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary files on the client host via the `file` function. By default, templates can diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index 296aefdc0f5..6975f91b2b6 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -13,6 +13,13 @@ upgrade. However, specific versions of Nomad may have more details provided for their upgrades as a result of new features or changed behavior. This page is used to document those details separately from the standard upgrade flow. +## Nomad 1.9.4 + +In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as +a measure to prevent accidental or malicious infinitely recursive execution. +Users that require `executeTemplate` should update their +[configuration](/nomad/docs/job-specification/template#function_denylist). + ## Nomad 1.9.3 In Nomad 1.9.3, the mechanism used for calculating when objects are eligible From 8a2ef52e850cf0d27aa3e6adc907dcb451f8a923 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:57:52 +0100 Subject: [PATCH 2/4] cl --- .changelog/24541.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/24541.txt diff --git a/.changelog/24541.txt b/.changelog/24541.txt new file mode 100644 index 00000000000..a031c4c06c7 --- /dev/null +++ b/.changelog/24541.txt @@ -0,0 +1,3 @@ +```release-note:security +security: add CT executeTemplate to default function_denylist +``` From 0ddcf2ba91529210d22e359dde4292575db843c5 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 22 Nov 2024 18:16:13 +0100 Subject: [PATCH 3/4] updated unit test --- command/agent/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 9debdc3a369..4eac3eacf8d 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) { agentConfig = defaultConfig.Merge(agentConfig) templateConfig := agentConfig.Client.TemplateConfig - must.Len(t, 2, templateConfig.FunctionDenylist) + must.Len(t, 3, templateConfig.FunctionDenylist) }) t.Run("client config with basic template", func(t *testing.T) { From 92a39d57d82970568e36e8cd7d434f7dd2722d4b Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 22 Nov 2024 18:58:58 +0100 Subject: [PATCH 4/4] Update .changelog/24541.txt Co-authored-by: Tim Gross --- .changelog/24541.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/24541.txt b/.changelog/24541.txt index a031c4c06c7..9fc46153e7d 100644 --- a/.changelog/24541.txt +++ b/.changelog/24541.txt @@ -1,3 +1,3 @@ ```release-note:security -security: add CT executeTemplate to default function_denylist +security: add executeTemplate to default template function_denylist ```