Impact
When using --experimental_remote_downloader, Bazel delegates downloading exteral
repositories to a remote server implementing the remote assets API. When doing
so, Bazel sends the user-provided credentials for the downloads as qualifier to
the remote service. It does send all credentials Bazel knows about, not just
credentials for the URLs it asks remote to download.
Sending any credentials to the remote server is already questonable and
inefficient (as the qualifier is used as part of the cache key remotely), but
Bazel should definitely not send credentials for unrelated domains.
Here's a test that demonstrates the behavior:
https://cs.opensource.google/bazel/bazel/+/master:src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java;l=345;drc=b750f8c0242d7fcb581d368d8b75e59c51c13a61
Patches
Has the problem been patched? What versions should users upgrade to?
Upgrade your Bazel version to at least 4.2.3 for 4.x, 5.3.2 for 5.x, or any 6.x+ version.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Only use a trusted remote downloader server and avoid giving Bazel unrelated credentials.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Yannic Analyst
Impact
When using --experimental_remote_downloader, Bazel delegates downloading exteral
repositories to a remote server implementing the remote assets API. When doing
so, Bazel sends the user-provided credentials for the downloads as qualifier to
the remote service. It does send all credentials Bazel knows about, not just
credentials for the URLs it asks remote to download.
Sending any credentials to the remote server is already questonable and
inefficient (as the qualifier is used as part of the cache key remotely), but
Bazel should definitely not send credentials for unrelated domains.
Here's a test that demonstrates the behavior:
https://cs.opensource.google/bazel/bazel/+/master:src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java;l=345;drc=b750f8c0242d7fcb581d368d8b75e59c51c13a61
Patches
Has the problem been patched? What versions should users upgrade to?
Upgrade your Bazel version to at least 4.2.3 for 4.x, 5.3.2 for 5.x, or any 6.x+ version.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Only use a trusted remote downloader server and avoid giving Bazel unrelated credentials.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: