Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [che-dev] adding environment variables support to Builder.class

Hi,

The only issue that I see in the example that you provided is as following :

 

In order for the system that runs che to become vulnerable, that system must run a builder implementation that reads that user sent variable "ZZZ" and execute its value in a shell.

The issue with this is that an application executing user input without validation is a bad security practice on its own , regardless of what I'm trying to achieve .

 

I'm not going to provide such a builder implementation and I think we shouldn’t merge such a builder implementation in to che.

Regarding your question " How builder implementation can prevent such security vulnerability?"

 

I have 2 solutions for that problem :

1.       Never execute user input directly as is in the builder.

2.       And if you must (for some reason), use a "white list.

 

 

Anyhow, in my case the builder I'm implementing will read the input, from the request, based on the input will execute some logic and save the result in the env variables for the command to use. .

The builder itself will not use the input as is directly .

Hence I don’t see the issue .

 

One additional point to mention is that if someone wants to implement a builder that harm the system it running on , he doesn’t need my pull request to do it.

He can just execute in the builder any of the request options (  "options": "Map[string,string]"  )  passed in by the request from the user .

Eventually it comes down to the builder implementation to enforce the security .

 

BR

Dany.

 

 

 

 

From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx] On Behalf Of Alexander Garagatyi
Sent: Thursday 18 June 2015 12:49
To: che developer discussions
Subject: Re: [che-dev] adding environment variables support to Builder.class

 

We can consider such functionality for builder, but I'm concerned about security of that solution.

Example:  

Build tool for project is set in such way that it's read env variables and send it over network.

Than user sends build request with such env variable ZZZ=$(find  ~/.ssh/ -type f | xargs cat)

 

How builder implementation can prevent such security vulnerability?

 

Implementations like docker won't be vulnerable for that, but what about not isolated environments?

 

On Thu, Jun 18, 2015 at 10:32 AM, Shapiro, Dany <dany.shapiro@xxxxxxx> wrote:

Hi,

Yes , the idea is to pass some environment variables in Build request. When the request object will be received in the builder implementation ( in createCommandLine as part of configuration )   the implementation of a specific builder will update the configuration object after some transformations .

Eventuality the  processBuilder will be updated from configuration, provided the builder implementation updated the configuration , if not than the flow will be as before .

 

Thanks

Dany.

 

From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx] On Behalf Of Alexander Garagatyi
Sent: Wednesday 17 June 2015 15:25


To: che developer discussions
Subject: Re: [che-dev] adding environment variables support to Builder.class

 

Hi,

Does you description mean that you want set environment variables on builder send by the client of the BuiderService?

 

On Wed, Jun 17, 2015 at 11:49 AM, Shapiro, Dany <dany.shapiro@xxxxxxx> wrote:

Hi,

Following the comments on Github  ,I add new Commit

 

https://github.com/codenvy/che-core/pull/115

 

Please review and merge if accepted.

 

Thanks,

-Dany.

 

 

 

From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx] On Behalf Of Shapiro, Dany
Sent: Sunday 14 June 2015 14:38
To: che developer discussions
Subject: Re: [che-dev] adding environment variables support to Builder.class

 

Hi,

Following my previous email, below you can find the a pull request.

 

https://github.com/codenvy/che-core/pull/115

 

Please review and merge if accepted.

 

Thanks,

-Dany.

 

 

From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx] On Behalf Of Shapiro, Dany
Sent: Thursday 11 June 2015 15:36
To: che-dev@xxxxxxxxxxx
Subject: [che-dev] adding environment variables support to Builder.class

 

Hi,

We, here at SAP are developing Che Builder that should be able to execute build requests while the execution relies on environment variables.

i.e. the commands that are going to be executed by the builder read some information from the  environment variables.

Hence the environment variables should be updated before the build execution dynamically for every build.

 

Following current implementation the information could be passed to the builder using the BuildRequest, but as I see it, update of the environment variables before the build execution is missing.

So I'm proposing  to add  the following method to the Builder.class

 

public Map<String, String> getEnvironmentVariables (){

                return new HashMap<String, String>();

}

 

Any implementing builder class can override this method , by default it will be empty .

so that in Line 440 in Builder.class ,the code could be changed to the following :

 

ProcessBuilder processBuilder = new ProcessBuilder().command(commandLine.toShellCommand()).directory(

                            configuration.getWorkDir()).redirectErrorStream(true);

 

Map<String, String> env = processBuilder.environment();

env. putAll(getEnvironmentVariables());

 

Process process = processBuilder.start();

 

 

 

This way the command executed by the builder will be able to use the environment variables passed in to the builder using the BuildRequest.

Do you agree on this solution? Please provide any insights or suggestion,  I will prepare a pull request shortly.

 

Thanks

 

Best Regards,

Dany Shapiro.

DI Cloud Exp DevX | SaaS Extensions &  Ecosystem Team | SAP Labs Israel | 15 Hatidhar st. | Raanana 43665, Israel

T +972-(0)9-777-5201

SAP_logo_small

 

 


_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev



 

--

 http://blog.codenvy.com/wp-content/uploads/2014/10/Email2.jpg | Alexander Garagatyi | Developer | Codenvy.com 


_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev



 

--

  | Alexander Garagatyi | Developer | Codenvy.com 

Back to the top