From 359a71861ef044cb5d749a36ff0e44b172c8f1a6 Mon Sep 17 00:00:00 2001 From: hc-github-team-nomad-core <82989552+hc-github-team-nomad-core@users.noreply.github.com> Date: Mon, 16 Dec 2024 21:54:48 +0000 Subject: [PATCH] Backport of sec: fix alloc workload identity namespace permission into release/1.9.x (#24685) Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com> --- .changelog/24683.txt | 3 +++ command/agent/node_endpoint.go | 1 + nomad/alloc_endpoint.go | 3 ++- nomad/structs/structs.go | 17 +++++++++++++++++ 4 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 .changelog/24683.txt diff --git a/.changelog/24683.txt b/.changelog/24683.txt new file mode 100644 index 00000000000..af07d6a99da --- /dev/null +++ b/.changelog/24683.txt @@ -0,0 +1,3 @@ +```release-note:security +api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. +``` diff --git a/command/agent/node_endpoint.go b/command/agent/node_endpoint.go index dc91a235784..2f6838aa088 100644 --- a/command/agent/node_endpoint.go +++ b/command/agent/node_endpoint.go @@ -105,6 +105,7 @@ func (s *HTTPServer) nodeAllocations(resp http.ResponseWriter, req *http.Request out.Allocs = make([]*structs.Allocation, 0) } for _, alloc := range out.Allocs { + alloc = alloc.Sanitize() alloc.SetEventDisplayMessages() } return out.Allocs, nil diff --git a/nomad/alloc_endpoint.go b/nomad/alloc_endpoint.go index 0afbacb3228..9e8678eb174 100644 --- a/nomad/alloc_endpoint.go +++ b/nomad/alloc_endpoint.go @@ -172,8 +172,9 @@ func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest, } // Setup the output - reply.Alloc = out if out != nil { + out = out.Sanitize() + reply.Alloc = out // Re-check namespace in case it differs from request. if !aclObj.AllowClientOp() && !allowNsOp(aclObj, out.Namespace) { return structs.NewErrUnknownAllocation(args.AllocID) diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index c832fab0a82..b3f0e8e4ac2 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -11199,6 +11199,23 @@ func (a *Allocation) GetID() string { return a.ID } +// Sanitize returns a copy of the allocation with the SignedIdentities field +// removed. This is useful for returning allocations to clients where the +// SignedIdentities field is not needed. +func (a *Allocation) Sanitize() *Allocation { + if a == nil { + return nil + } + + if a.SignedIdentities == nil { + return a + } + + clean := a.Copy() + clean.SignedIdentities = nil + return clean +} + // GetNamespace implements the NamespaceGetter interface, required for // pagination and filtering namespaces in endpoints that support glob namespace // requests using tokens with limited access.