Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loader: Avoid reading UNC paths by default #6933

Merged
merged 1 commit into from
Aug 16, 2024
Merged

loader: Avoid reading UNC paths by default #6933

merged 1 commit into from
Aug 16, 2024

Conversation

ashutosh-narkar
Copy link
Member

@ashutosh-narkar ashutosh-narkar commented Aug 15, 2024
edited
Loading

If a UNC path is provided to OPA it won't read it
and instead return an error. This applies to paths
to load bundles and individual data/policy files.

One reason behind blocking UNC paths is they could
trigger a NTLMv2 hash leak. For example, if a SMB share
is provided, OPA will attempt to open it triggering LLMNR
queries which contain the client's NTLMv2 hash which can be cracked
using some tools. This could be exploited by a malicious user.

srenatus
srenatus reviewed Aug 15, 2024
View reviewed changes
Copy link
Contributor

@srenatus srenatus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this. What do you think, can't we just not handle UNC paths, without an escape hatch? 🤔

loader/loader_test.go Outdated

for _, tc := range cases {
t.Run(tc.input, func(t *testing.T) {
os.Unsetenv(readUNCPathEnv)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nit] let's use t.Setenv

loader/loader.go Outdated
@@ -29,6 +29,8 @@ import (
"github.com/open-policy-agent/opa/util"
)

const readUNCPathEnv = "READ_UNC_PATH"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a huge fan of shadow config via env vars 😅 But if we have to do it, let's prefix this with OPA_

@ashutosh-narkar ashutosh-narkar marked this pull request as ready for review August 16, 2024 18:52
srenatus
srenatus previously approved these changes Aug 16, 2024
View reviewed changes
loader/loader.go Outdated

func checkForUNCPath(path string) error {
if isUNC(path) {
return fmt.Errorf("UNC path read is not allowed")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nit] errors.New("...") or fmt.Errorf("UNC path read is not allowed: %s", path)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

@ashutosh-narkar
loader: Block reading of UNC paths
e672ba0 
If a UNC path is provided to OPA it won't read it
and instead return an error. This applies to paths
to load bundles and individual data/policy files.

One reason behind blocking UNC paths is they could
trigger a NTLMv2 hash leak. For example, if a SMB share
is provided, OPA will attempt to open it triggering LLMNR
queries which contain the client's NTLMv2 hash which can be cracked
using some tools. This could be exploited by a malicious user.

Signed-off-by: Ashutosh Narkar <[email protected]>
@ashutosh-narkar ashutosh-narkar merged commit 10f4d55 into open-policy-agent:main Aug 16, 2024
28 checks passed
@andrewegel andrewegel mentioned this pull request Oct 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srenatus srenatus srenatus left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ashutosh-narkar @srenatus