From f7a4ded2c030aea287c30fe39b16fa502e988cde Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:33:56 +0100 Subject: [PATCH] security: add CT executeTemplate to default function_denylist (#24541) This PR adds Consul Template's executeTemplate function to the denylist by default, in order to prevent accidental or malicious infinitely recursive execution. --------- Co-authored-by: Tim Gross --- .changelog/24541.txt | 3 +++ client/config/config.go | 2 +- command/agent/config_test.go | 2 +- .../content/docs/job-specification/template.mdx | 6 ++++-- .../content/docs/upgrade/upgrade-specific.mdx | 16 +++++++++++----- 5 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 .changelog/24541.txt diff --git a/.changelog/24541.txt b/.changelog/24541.txt new file mode 100644 index 00000000000..9fc46153e7d --- /dev/null +++ b/.changelog/24541.txt @@ -0,0 +1,3 @@ +```release-note:security +security: add executeTemplate to default template function_denylist +``` diff --git a/client/config/config.go b/client/config/config.go index 89bb0a0a956..4571cc4da12 100644 --- a/client/config/config.go +++ b/client/config/config.go @@ -73,7 +73,7 @@ var ( DefaultTemplateMaxStale = 87600 * time.Hour - DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"} + DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"} ) // RPCHandler can be provided to the Client if there is a local server diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 9debdc3a369..4eac3eacf8d 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) { agentConfig = defaultConfig.Merge(agentConfig) templateConfig := agentConfig.Client.TemplateConfig - must.Len(t, 2, templateConfig.FunctionDenylist) + must.Len(t, 3, templateConfig.FunctionDenylist) }) t.Run("client config with basic template", func(t *testing.T) { diff --git a/website/content/docs/job-specification/template.mdx b/website/content/docs/job-specification/template.mdx index 2866a74ec43..7ab366fa232 100644 --- a/website/content/docs/job-specification/template.mdx +++ b/website/content/docs/job-specification/template.mdx @@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options): - `function_denylist` `([]string: ["plugin"])` - Specifies a list of template rendering functions that should be disallowed in job specs. By default, the - `plugin` function is disallowed as it allows running arbitrary commands on - the host as root (unless Nomad is configured to run as a non-root user). + `plugin` function is disallowed as it allows running arbitrary commands on the + host as root (unless Nomad is configured to run as a non-root user), + `executeTemplate` is disallowed to prevent accidental or malicious infinitely + recursive execution, and `writeToFile` is disallowed. - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary files on the client host via the `file` function. By default, templates can diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index 1575cf8caa8..2734093f0be 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -15,11 +15,17 @@ used to document those details separately from the standard upgrade flow. ## Nomad 1.9.4 -In Nomad 1.9.4, the [default client env deny -list](/nomad/docs/configuration/client#env-denylist) includes additional -environment variables to improve security. Users who need some of these secure -environment variables passed to their tasks should consult the list and -overwrite it in the configuration. +#### Security updates to default deny lists + +In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as +a measure to prevent accidental or malicious infinitely recursive execution. +Users that require `executeTemplate` should update their +[configuration](/nomad/docs/job-specification/template#function_denylist). + +Additionally, the [default client env deny +list](/nomad/docs/configuration/client#env-denylist) includes more environment +variables. Users who need some of these secure environment variables passed to +their tasks should consult the list and overwrite it in the configuration. ## Nomad 1.9.3