Skip to content

add input validation and path traversal protections #26241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: NMD-760-nomad-secrets-block
Choose a base branch
from
Open

add input validation and path traversal protections #26241

wants to merge 3 commits into from

Conversation

mismithhisler
Copy link
Member

@mismithhisler mismithhisler commented Jul 9, 2025
edited
Loading

Description

Adds OpenRoot for accessing rendered template, and user input validation so users cannot inject template functions into secret block parameters.

Testing & Reproduction steps

Links

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.

@mismithhisler mismithhisler self-assigned this Jul 9, 2025
mismithhisler
mismithhisler commented Jul 9, 2025
View reviewed changes
client/allocrunner/taskrunner/secrets/nomad_provider.go
@@ -59,22 +62,38 @@ func (n *NomadProvider) BuildTemplate() *structs.Template {

return &structs.Template{
EmbeddedTmpl: data,
DestPath: n.tmplPath,
DestPath: filepath.Join(n.secretDir, n.tmplFile),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not excited about doing multiple filepath.Join()'s but it's nice having the directory and filename separate for os.OpenInRoot. We could store this on the struct but that also feels like unnecessary duplication.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could clean up some path traversals here:

Suggested change
DestPath: filepath.Join(n.secretDir, n.tmplFile),
DestPath: filepath.Clean(filepath.Join(n.secretDir, n.tmplFile)),

@mismithhisler mismithhisler marked this pull request as ready for review July 9, 2025 20:14
@mismithhisler mismithhisler requested review from a team as code owners July 9, 2025 20:14
tgross
tgross reviewed Jul 9, 2025
View reviewed changes
@jrasell jrasell requested a review from dduzgun-security July 10, 2025 07:08
jrasell
jrasell approved these changes Jul 10, 2025
View reviewed changes
Copy link
Member

@jrasell jrasell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I added Deniz for review, to see if he had any thoughts. Also, I'm not sure we need it, but we could also validate the namespace using our existing regex for namespace upsert if we felt it would be useful.

dduzgun-security
dduzgun-security reviewed Jul 10, 2025
View reviewed changes
Copy link
Collaborator

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into it and very cool use of os.Root 🙌 Small recommendation about filepath.Clean() but the rest LGTM

client/allocrunner/taskrunner/secrets/nomad_provider.go
@@ -59,22 +62,38 @@ func (n *NomadProvider) BuildTemplate() *structs.Template {

return &structs.Template{
EmbeddedTmpl: data,
DestPath: n.tmplPath,
DestPath: filepath.Join(n.secretDir, n.tmplFile),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could clean up some path traversals here:

Suggested change
DestPath: filepath.Join(n.secretDir, n.tmplFile),
DestPath: filepath.Clean(filepath.Join(n.secretDir, n.tmplFile)),

client/allocrunner/taskrunner/secrets/vault_provider.go
@@ -69,22 +73,26 @@ func (v *VaultProvider) BuildTemplate() *structs.Template {

return &structs.Template{
EmbeddedTmpl: data,
DestPath: v.tmplPath,
DestPath: filepath.Join(v.secretDir, v.tmplFile),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
DestPath: filepath.Join(v.secretDir, v.tmplFile),
DestPath: filepath.Clean(filepath.Join(v.secretDir, v.tmplFile)),

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross left review comments

@dduzgun-security dduzgun-security dduzgun-security left review comments

@jrasell jrasell jrasell approved these changes

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees

@mismithhisler mismithhisler

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mismithhisler @tgross @jrasell @dduzgun-security