fix: Security hardening follow-ups and 0.3.0 changelog by nfebe · Pull Request #145 · flatrun/agent · GitHub
Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions CHANGELOG.md
21 changes: 15 additions & 6 deletions internal/api/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"encoding/json"
"fmt"
"log"
"math/big"
"net/http"
"os"
"os/exec"
Expand Down Expand Up @@ -4115,23 +4116,31 @@ func generateSecretValue(spec TemplateEnvSecret) (string, error) {
if n <= 0 {
n = 32
}
buf := make([]byte, n)
if _, err := cryptoRand.Read(buf); err != nil {
return "", err
}

var value string
switch spec.Encoding {
case "hex":
buf := make([]byte, n)
if _, err := cryptoRand.Read(buf); err != nil {
return "", err
}
value = hex.EncodeToString(buf)
case "alphanumeric":
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
out := make([]byte, n)
for i, b := range buf {
out[i] = charset[int(b)%len(charset)]
for i := range out {
idx, err := cryptoRand.Int(cryptoRand.Reader, big.NewInt(int64(len(charset))))
if err != nil {
return "", err
}
out[i] = charset[idx.Int64()]
}
value = string(out)
default:
buf := make([]byte, n)
if _, err := cryptoRand.Read(buf); err != nil {
return "", err
}
value = base64.StdEncoding.EncodeToString(buf)
}

Expand Down
8 changes: 5 additions & 3 deletions internal/docker/discovery.go
Original file line number Diff line number Diff line change
Expand Up @@ -399,9 +399,9 @@ func (d *Discovery) ApplyMountOwnership(deploymentPath string, mounts []MountOwn
}
}

if info, err := os.Stat(base); err == nil && !info.IsDir() {
if info, err := os.Lstat(base); err == nil && !info.IsDir() {
if m.User != "" {
if err := os.Chown(base, uid, gid); err != nil {
if err := os.Lchown(base, uid, gid); err != nil {
return fmt.Errorf("chown %s: %w", base, err)
}
}
Expand All @@ -426,7 +426,9 @@ func (d *Discovery) ApplyMountOwnership(deploymentPath string, mounts []MountOwn
if walkErr != nil {
return walkErr
}
return os.Chown(path, uid, gid)
// Runs as root over container-written content: following a
// planted symlink would chown an arbitrary host file.
return os.Lchown(path, uid, gid)
})
if err != nil {
return fmt.Errorf("chown %s: %w", base, err)
Expand Down
29 changes: 29 additions & 0 deletions internal/docker/discovery_test.go
Loading