Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

run container as non root user #33

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

run container as non root user #33

wants to merge 3 commits into from

Conversation

rwaffen
Copy link
Member

@rwaffen rwaffen commented Aug 2, 2024

No description provided.

@rwaffen rwaffen marked this pull request as ready for review August 2, 2024 13:07
@rwaffen rwaffen requested a review from a team as a code owner August 2, 2024 13:07
Copy link
Contributor

github-actions bot commented Aug 2, 2024

🔍 Vulnerabilities of /tmp/voxbox-7.32.1_9c6b714325f46a6825f7f75cba58487869b680cd.tar

📦 Image Reference /tmp/voxbox-7.32.1_9c6b714325f46a6825f7f75cba58487869b680cd.tar
digestsha256:85e2df67102ea16387af45df974bbf68148ff723f32f36dd633bcf9f8b88138a
vulnerabilitiescritical: 0 high: 3 medium: 7 low: 0
size158 MB
packages324
📦 Base Image ruby:2-alpine
also known as
  • 2-alpine3.16
  • 2.7-alpine
  • 2.7-alpine3.16
  • 2.7.8-alpine
  • 2.7.8-alpine3.16
digestsha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0
vulnerabilitiescritical: 2 high: 5 medium: 11 low: 1
critical: 0 high: 1 medium: 4 low: 0 rexml 3.2.3.1 (gem)

pkg:gem/[email protected]

high 7.5: CVE--2021--28965 Misinterpretation of Input

Affected range<3.2.5
Fixed version3.2.5
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score0.10%
EPSS Percentile43rd percentile
Description

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

medium 5.3: CVE--2024--41946 Uncontrolled Resource Consumption

Affected range<3.3.3
Fixed version3.3.3
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

medium 5.3: CVE--2024--41123 Uncontrolled Resource Consumption

Affected range<3.3.3
Fixed version3.3.3
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

medium 5.3: CVE--2024--35176 Uncontrolled Resource Consumption

Affected range<3.2.7
Fixed version3.2.7
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

medium 4.3: CVE--2024--39908 Uncontrolled Resource Consumption

Affected range<3.3.2
Fixed version3.3.2
CVSS Score4.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
EPSS Score0.04%
EPSS Percentile9th percentile
Description

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

critical: 0 high: 1 medium: 1 low: 0 bundler 2.1.4 (gem)

pkg:gem/[email protected]

high 8.8: CVE--2020--36327

Affected range>=1.16.0
<2.2.10
Fixed version2.2.10
CVSS Score8.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score0.97%
EPSS Percentile84th percentile
Description

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.

medium 6.7: CVE--2021--43809 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Affected range<2.2.33
Fixed version2.2.33
CVSS Score6.7
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score0.12%
EPSS Percentile46th percentile
Description

In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false.

To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the
commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.

Since this value comes from the Gemfile file, it can contain any character, including a leading dash.

Exploitation

To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL
will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside.

Impact

This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags).

This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on.

Patches

Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue.

Workarounds

Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code.

References

https://cwe.mitre.org/data/definitions/88.html

critical: 0 high: 1 medium: 0 low: 0 rdoc 6.2.1.1 (gem)

pkg:gem/[email protected]

high 7.0: CVE--2021--31799 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range>=3.11
<6.3.1
Fixed version6.3.1
CVSS Score7
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score0.06%
EPSS Percentile29th percentile
Description

In RDoc, as distributed with Ruby, it is possible to execute arbitrary code via | and tags in a filename.

critical: 0 high: 0 medium: 1 low: 0 uri 0.10.0.2 (gem)

pkg:gem/[email protected]

medium 5.3: CVE--2023--36617 Inefficient Regular Expression Complexity

Affected range<0.10.0.3
Fixed version0.10.3
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.15%
EPSS Percentile51st percentile
Description

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.

NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead:

  • For Ruby 3.0: Update to uri 0.10.3
  • For Ruby 3.1 and 3.2: Update to uri 0.12.2.

You can use gem update uri to update it. If you are using bundler, please add gem uri, >= 0.12.2 (or other version mentioned above) to your Gemfile.

critical: 0 high: 0 medium: 1 low: 0 curl 8.5.0-r0 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.16

medium : CVE--2024--0853

Affected range<8.6.0-r0
Fixed versionNot Fixed
EPSS Score0.06%
EPSS Percentile25th percentile
Description

@rwaffen
Copy link
Member Author

rwaffen commented Aug 2, 2024

hmm, damn, in my local tests this worked :(

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@rwaffen rwaffen enabled auto-merge August 9, 2024 10:47
docker run --user 1001 --rm -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile syntax
docker run --user 1001 --rm -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile spec
docker run --user 1001 --rm -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile r10k:syntax
docker run --user 1001 --rm -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile r10k:dependencies
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when we use the container locally, do we now have to set --user?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, you just can used it as always. at least on my mac it was working like this.
can you maybe test this on a non mac?

docker build -t voxbox-local .
cd path/to/puppet-example
docker run -it --rm -v $(pwd):/repo voxbox-local -f /Rakefile strings:validate:reference

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it could be, that one does need code like this in a compose file. but thats how this id done, afaik

    environment:
      - PUID=1001
      - PGID=1001

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

build output: https://gist.github.com/bastelfreak/4cc2e9febafd4f40cf4a0769ad3c9672

and the rake task fails:

$ docker run -it --rm -v $(pwd):/repo voxbox-local -f /Rakefile strings:validate:reference
/usr/local/bundle/gems/io-event-1.6.5/lib/io/event/support.rb:27: warning: IO::Buffer is experimental and both the Ruby and C interface may change in the future!
WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
      racc (>= 0)
      Available/installed versions of this gem:
      - 1.8.1
      - 1.6.2
      minitest (>= 5.1, ~> 5.4)
      Available/installed versions of this gem:
      - 5.24.1
      - 5.16.3
      drb (>= 0)
      Available/installed versions of this gem:
      - 2.2.1
      - 2.1.1
      mutex_m (>= 0)
      Available/installed versions of this gem:
      - 0.2.0
      - 0.1.2
WARN: Clearing out unresolved specs. Try 'gem cleanup <gem>'
Please report a bug if this causes problems.
rake aborted!
Errno::EACCES: Permission denied @ dir_s_mkdir - .yardoc (Errno::EACCES)
/usr/local/bundle/gems/yard-0.9.36/lib/yard/core_ext/file.rb:59:in `open!'
/usr/local/bundle/gems/yard-0.9.36/lib/yard/serializers/yardoc_serializer.rb:55:in `lock_for_writing'
/usr/local/bundle/gems/yard-0.9.36/lib/yard/registry_store.rb:202:in `lock_for_writing'
/usr/local/bundle/gems/yard-0.9.36/lib/yard/registry.rb:210:in `lock_for_writing'
/usr/local/bundle/gems/yard-0.9.36/lib/yard/cli/yardoc.rb:258:in `run'
/usr/local/bundle/gems/yard-0.9.36/lib/yard/cli/command.rb:14:in `run'
/usr/local/bundle/gems/puppet-strings-4.1.2/lib/puppet-strings.rb:48:in `generate'
/usr/local/bundle/gems/puppet-strings-4.1.2/lib/puppet-strings/tasks/validate.rb:29:in `block (4 levels) in <top (required)>'
/usr/local/bundle/gems/puppet-strings-4.1.2/lib/puppet-strings/tasks/validate.rb:21:in `block (3 levels) in <top (required)>'
/usr/local/bundle/gems/rake-13.2.1/exe/rake:27:in `<top (required)>'
Tasks: TOP => strings:validate:reference
(See full trace by running task with --trace)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i cannot find how to prevent yard from creating this dir. also i read on the net, that it is common to run the container with --user? any opinions on this?

@@ -53,6 +57,12 @@ jobs:
RUBYGEM_OVERCOMMIT=${{ matrix.rubygem_overcommit }}
RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}

- name: Upload voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar
uses: actions/upload-artifact@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why does the step exist? so the other job can acccess the build artifact?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TLDR: yes

if you build a container in on job, you cannot use it in another, because the local registry gets cleaned. So im uploading it as an artifact and donwload it in the next again

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's an artifact size limit we have per repo. I don't know if artifacts expire after X days or if we need to purge them. We should check that in some weeks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was thinking about this too, but then forgot 👍

@rwaffen rwaffen added the enhancement New feature or request label Aug 23, 2024
@rwaffen rwaffen marked this pull request as draft August 23, 2024 10:32
auto-merge was automatically disabled August 23, 2024 10:32

Pull request was converted to draft

- also update gha setup to reflect this change
- differentiate between build and test of the container

Signed-off-by: Robert Waffen <[email protected]>
Signed-off-by: Robert Waffen <[email protected]>
Dockerfile Outdated
@@ -73,5 +73,8 @@ RUN apk update \

WORKDIR /repo

RUN addgroup -S voxbox && adduser -S voxbox -G voxbox
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do those parameters do? Is there maybe a long version that we could use? I think that makes the whole Dockerfile easier to read.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nein! there are no long parameters in alpine. it may cost to much space! -S is for system

/ # addgroup --help
BusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.

Usage: addgroup [-g GID] [-S] [USER] GROUP

Add a group or add a user to a group

	-g GID	Group id
	-S	Create a system group
/ # adduser --help
BusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.

Usage: adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

	-h DIR		Home directory
	-g GECOS	GECOS field
	-s SHELL	Login shell
	-G GRP		Group
	-S		Create a system user
	-D		Don't assign a password
	-H		Don't create home directory
	-u UID		User id
	-k SKEL		Skeleton directory (/etc/skel)
/ #

Signed-off-by: Robert Waffen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: No status
Development

Successfully merging this pull request may close these issues.

2 participants