Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of security: add CT executeTemplate to default function_denylist into release/1.9.x #24544

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/24541.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:security
security: add executeTemplate to default template function_denylist
```
2 changes: 1 addition & 1 deletion client/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ var (

DefaultTemplateMaxStale = 87600 * time.Hour

DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"}
DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"}
)

// RPCHandler can be provided to the Client if there is a local server
Expand Down
2 changes: 1 addition & 1 deletion command/agent/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) {
agentConfig = defaultConfig.Merge(agentConfig)

templateConfig := agentConfig.Client.TemplateConfig
must.Len(t, 2, templateConfig.FunctionDenylist)
must.Len(t, 3, templateConfig.FunctionDenylist)
})

t.Run("client config with basic template", func(t *testing.T) {
Expand Down
6 changes: 4 additions & 2 deletions website/content/docs/job-specification/template.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options):

- `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
rendering functions that should be disallowed in job specs. By default, the
`plugin` function is disallowed as it allows running arbitrary commands on
the host as root (unless Nomad is configured to run as a non-root user).
`plugin` function is disallowed as it allows running arbitrary commands on the
host as root (unless Nomad is configured to run as a non-root user),
`executeTemplate` is disallowed to prevent accidental or malicious infinitely
recursive execution, and `writeToFile` is disallowed.

- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
files on the client host via the `file` function. By default, templates can
Expand Down
16 changes: 11 additions & 5 deletions website/content/docs/upgrade/upgrade-specific.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,17 @@ used to document those details separately from the standard upgrade flow.

## Nomad 1.9.4

In Nomad 1.9.4, the [default client env deny
list](/nomad/docs/configuration/client#env-denylist) includes additional
environment variables to improve security. Users who need some of these secure
environment variables passed to their tasks should consult the list and
overwrite it in the configuration.
#### Security updates to default deny lists

In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as
a measure to prevent accidental or malicious infinitely recursive execution.
Users that require `executeTemplate` should update their
[configuration](/nomad/docs/job-specification/template#function_denylist).

Additionally, the [default client env deny
list](/nomad/docs/configuration/client#env-denylist) includes more environment
variables. Users who need some of these secure environment variables passed to
their tasks should consult the list and overwrite it in the configuration.

## Nomad 1.9.3

Expand Down