Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security review: ensure ownership of build and launch caches #2224

Closed
1 task done
natalieparellano opened this issue Apr 23, 2024 · 1 comment · Fixed by buildpacks/pack-private#48
Closed
1 task done

Security review: ensure ownership of build and launch caches #2224

natalieparellano opened this issue Apr 23, 2024 · 1 comment · Fixed by buildpacks/pack-private#48
Assignees
@natalieparellano

Comments

@natalieparellano
Copy link
Member

natalieparellano commented Apr 23, 2024
edited
Loading

Description

In the security review, this is HIGH-2: Cache poisoning by accessing other applications caches. The action plan asks us to ensure that

Buildpacks binaries have to ensure that the build and launch caches belong to the application which is being built before processing them or restrict their usage by modifying the needed permissions

Proposed solution

  • pack should expect a PACK_VOLUME_KEY environment variable containing a secret key, and when computing build and launch cache volume names, should take this key into account.
  • When an application is first built, pack should generate a volume key for the application name and save it in ~/.pack/volume-keys.toml or similar.
  • If PACK_VOLUME_KEY is unset, pack should source it from ~/.pack/volume-keys.toml (this avoids the need for application developers to keep track of this variable).
  • PACK_VOLUME_KEY should be overridden when pack is running in CI (we could warn if this env var is unset and we detect that pack is running in a container as this effectively disables caching).
  • We could recommend that platform operators use a repository secret for PACK_VOLUME_KEY.

Describe alternatives you've considered

We considered using a secret key combined with authentication codes stored in the cache root, but this is a heavier approach.

Additional context

  • This feature should be documented somewhere
@natalieparellano natalieparellano self-assigned this May 24, 2024
@natalieparellano
Copy link
Member Author

I'll work on this one :)

@natalieparellano natalieparellano mentioned this issue Jun 27, 2024
Merged
@natalieparellano natalieparellano transferred this issue from buildpacks/pack-private Jul 17, 2024
@natalieparellano natalieparellano mentioned this issue Jul 17, 2024
Closed
1 task
copybara-service bot pushed a commit to GoogleCloudPlatform/buildpacks that referenced this issue Dec 3, 2024
@matthewrobertson @copybara-github
Updates to support newer pack versions in acceptance tests
2bce09c 
In buildpacks/pack#2224 pack started adding random seeds to the volume cache names which breaks our cache acceptance tests. This updates the acceptance tests to manually configure the volume name for each test to prevent addition of random seed.

PiperOrigin-RevId: 702207226
Change-Id: I3c8702588d24a96be03175a9a4fd8075b49670dc
copybara-service bot pushed a commit to GoogleCloudPlatform/buildpacks that referenced this issue Dec 4, 2024
@nishi1401 @copybara-github
Updates to support newer pack versions in acceptance tests
da1e0b1 
In buildpacks/pack#2224 pack started adding random seeds to the volume cache names which breaks our cache acceptance tests. This updates the acceptance tests to manually configure the volume name for each test to prevent addition of random seed.

PiperOrigin-RevId: 702590872
Change-Id: Ida6d828e79f6dba52b5edf3c5cd548e41084a7a5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@natalieparellano natalieparellano

Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@natalieparellano