-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Harden creation of child processes (#55697)
Add general protection against RCE vulnerabilities similar to the one described in CVE-2019-7609. Closes #49605
- Loading branch information
Showing
12 changed files
with
809 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
var execFileSync = require('child_process').execFileSync; | ||
var path = require('path'); | ||
var syncGlob = require('glob').sync; | ||
var program = require('commander'); | ||
|
||
program | ||
.name('node scripts/test_hardening.js') | ||
.arguments('[file...]') | ||
.description( | ||
'Run the tests in test/harden directory. If no files are provided, all files within the directory will be run.' | ||
) | ||
.action(function(globs) { | ||
if (globs.length === 0) globs.push(path.join('test', 'harden', '*')); | ||
globs.forEach(function(glob) { | ||
syncGlob(glob).forEach(function(filename) { | ||
if (path.basename(filename)[0] === '_') return; | ||
console.log(process.argv[0], filename); | ||
execFileSync(process.argv[0], [filename], { stdio: 'inherit' }); | ||
}); | ||
}); | ||
}) | ||
.parse(process.argv); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
var hook = require('require-in-the-middle'); | ||
|
||
hook(['child_process'], function(exports, name) { | ||
return require(`./patches/${name}`)(exports); // eslint-disable-line import/no-dynamic-require | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
// Ensure, when spawning a new child process, that the `options` and the | ||
// `options.env` object passed to the child process function doesn't inherit | ||
// from `Object.prototype`. This protects against similar RCE vulnerabilities | ||
// as described in CVE-2019-7609 | ||
module.exports = function(cp) { | ||
// The `exec` function is currently just a wrapper around `execFile`. So for | ||
// now there's no need to patch it. If this changes in the future, our tests | ||
// will fail and we can uncomment the line below. | ||
// | ||
// cp.exec = new Proxy(cp.exec, { apply: patchOptions() }); | ||
|
||
cp.execFile = new Proxy(cp.execFile, { apply: patchOptions(true) }); | ||
cp.fork = new Proxy(cp.fork, { apply: patchOptions(true) }); | ||
cp.spawn = new Proxy(cp.spawn, { apply: patchOptions(true) }); | ||
cp.execFileSync = new Proxy(cp.execFileSync, { apply: patchOptions(true) }); | ||
cp.execSync = new Proxy(cp.execSync, { apply: patchOptions() }); | ||
cp.spawnSync = new Proxy(cp.spawnSync, { apply: patchOptions(true) }); | ||
|
||
return cp; | ||
}; | ||
|
||
function patchOptions(hasArgs) { | ||
return function apply(target, thisArg, args) { | ||
var pos = 1; | ||
if (pos === args.length) { | ||
// fn(arg1) | ||
args[pos] = prototypelessSpawnOpts(); | ||
} else if (pos < args.length) { | ||
if (hasArgs && (Array.isArray(args[pos]) || args[pos] == null)) { | ||
// fn(arg1, args, ...) | ||
pos++; | ||
} | ||
|
||
if (typeof args[pos] === 'object' && args[pos] !== null) { | ||
// fn(arg1, {}, ...) | ||
// fn(arg1, args, {}, ...) | ||
args[pos] = prototypelessSpawnOpts(args[pos]); | ||
} else if (args[pos] == null) { | ||
// fn(arg1, null/undefined, ...) | ||
// fn(arg1, args, null/undefined, ...) | ||
args[pos] = prototypelessSpawnOpts(); | ||
} else if (typeof args[pos] === 'function') { | ||
// fn(arg1, callback) | ||
// fn(arg1, args, callback) | ||
args.splice(pos, 0, prototypelessSpawnOpts()); | ||
} | ||
} | ||
|
||
return target.apply(thisArg, args); | ||
}; | ||
} | ||
|
||
function prototypelessSpawnOpts(obj) { | ||
var prototypelessObj = Object.assign(Object.create(null), obj); | ||
prototypelessObj.env = Object.assign(Object.create(null), prototypelessObj.env || process.env); | ||
return prototypelessObj; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/usr/bin/env sh | ||
|
||
echo $POLLUTED$custom |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
console.log(`${process.env.POLLUTED || ''}${process.env.custom || ''}`); |
Oops, something went wrong.