-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter environment variables passed to ProcessCapture to increase security #5973
Comments
The topic has been discussed in the ORT Community Meeting on 2022-10-20 with the following outcome:
|
Resolves oss-review-toolkit#5973. Signed-off-by: Oliver Heger <[email protected]>
#5984 proposes a solution for this problem. I would like to get some feedback about the default list of allowed variables. There is no guarantee that it is complete. But I think the main issue here is that users have to update their configuration to allow the variables they need, for instance credentials for package managers. |
The approach of listing all allowed variables used by the various tools is hardly practicable. In a first (and incomplete) attempt to compile such a list, I came up with more than 300 variables. This list would also have to be maintained and adapted to changes in the supported tools. So, while this may be the most secure approach, I doubt that it is feasible. Therefore, I would suggest an alternative approach: ORT could define some patterns for variables it excludes by default, e.g. ".PASS.", ".USER.", ".*_KEY". The user could then configure a list of variables that match a pattern, but should be nevertheless included. |
This is a good idea. |
Resolves oss-review-toolkit#5973. Signed-off-by: Oliver Heger <[email protected]>
Resolves oss-review-toolkit#5973. Signed-off-by: Oliver Heger <[email protected]>
Resolves oss-review-toolkit#5973. Signed-off-by: Oliver Heger <[email protected]>
This is an idea how to reduce a security risk when running ORT, for which I would like to get some feedback:
Especially when running the Analyzer, external logic in build scripts is executed which could do potentially harmful thing. One attack vector could be reading sensitive information from environment variables, such as database credentials or credentials to other services provided to the ORT process.
At least when external processes are created via the
ProcessCapture
class, this risk could be mitigated by filtering the map with environment variables passed to the new process. Since the variables are specific to a concrete runtime environment, probably a configurable filter mechanism is required. For instance, users could define inclusion and/or exclusion filters in the ORT configuration file that are applied when constructing the environment. This would support use cases such as including only variables starting with a specific prefix (which are explicitly intended to be used by external tools) or removing variables with "postgres" in their name which are specific for the database.This is of course not bullet-proof, but would be an improvement in this area.
The text was updated successfully, but these errors were encountered: