Skip to content

Commit

Permalink
security: add CT executeTemplate to default function_denylist (#24541)
Browse files Browse the repository at this point in the history
This PR adds Consul Template's executeTemplate function to the denylist by
default, in order to prevent accidental or malicious infinitely recursive
execution.

---------

Co-authored-by: Tim Gross <[email protected]>
  • Loading branch information
pkazmierczak and tgross authored Nov 22, 2024
1 parent 368241d commit f7a4ded
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 9 deletions.
3 changes: 3 additions & 0 deletions .changelog/24541.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:security
security: add executeTemplate to default template function_denylist
```
2 changes: 1 addition & 1 deletion client/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ var (

DefaultTemplateMaxStale = 87600 * time.Hour

DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"}
DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"}
)

// RPCHandler can be provided to the Client if there is a local server
Expand Down
2 changes: 1 addition & 1 deletion command/agent/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) {
agentConfig = defaultConfig.Merge(agentConfig)

templateConfig := agentConfig.Client.TemplateConfig
must.Len(t, 2, templateConfig.FunctionDenylist)
must.Len(t, 3, templateConfig.FunctionDenylist)
})

t.Run("client config with basic template", func(t *testing.T) {
Expand Down
6 changes: 4 additions & 2 deletions website/content/docs/job-specification/template.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options):

- `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
rendering functions that should be disallowed in job specs. By default, the
`plugin` function is disallowed as it allows running arbitrary commands on
the host as root (unless Nomad is configured to run as a non-root user).
`plugin` function is disallowed as it allows running arbitrary commands on the
host as root (unless Nomad is configured to run as a non-root user),
`executeTemplate` is disallowed to prevent accidental or malicious infinitely
recursive execution, and `writeToFile` is disallowed.

- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
files on the client host via the `file` function. By default, templates can
Expand Down
16 changes: 11 additions & 5 deletions website/content/docs/upgrade/upgrade-specific.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,17 @@ used to document those details separately from the standard upgrade flow.

## Nomad 1.9.4

In Nomad 1.9.4, the [default client env deny
list](/nomad/docs/configuration/client#env-denylist) includes additional
environment variables to improve security. Users who need some of these secure
environment variables passed to their tasks should consult the list and
overwrite it in the configuration.
#### Security updates to default deny lists

In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as
a measure to prevent accidental or malicious infinitely recursive execution.
Users that require `executeTemplate` should update their
[configuration](/nomad/docs/job-specification/template#function_denylist).

Additionally, the [default client env deny
list](/nomad/docs/configuration/client#env-denylist) includes more environment
variables. Users who need some of these secure environment variables passed to
their tasks should consult the list and overwrite it in the configuration.

## Nomad 1.9.3

Expand Down

0 comments on commit f7a4ded

Please sign in to comment.