From 9f076ae32a9ea4529b64fb339a02e4b84dfbab80 Mon Sep 17 00:00:00 2001 From: dduzgun-security Date: Mon, 16 Dec 2024 16:00:37 -0500 Subject: [PATCH 1/4] sec: fix alloc workload identity namespace permission --- command/agent/node_endpoint.go | 1 + nomad/alloc_endpoint.go | 3 ++- nomad/structs/structs.go | 17 +++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/command/agent/node_endpoint.go b/command/agent/node_endpoint.go index dc91a235784..2f6838aa088 100644 --- a/command/agent/node_endpoint.go +++ b/command/agent/node_endpoint.go @@ -105,6 +105,7 @@ func (s *HTTPServer) nodeAllocations(resp http.ResponseWriter, req *http.Request out.Allocs = make([]*structs.Allocation, 0) } for _, alloc := range out.Allocs { + alloc = alloc.Sanitize() alloc.SetEventDisplayMessages() } return out.Allocs, nil diff --git a/nomad/alloc_endpoint.go b/nomad/alloc_endpoint.go index 0afbacb3228..9e8678eb174 100644 --- a/nomad/alloc_endpoint.go +++ b/nomad/alloc_endpoint.go @@ -172,8 +172,9 @@ func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest, } // Setup the output - reply.Alloc = out if out != nil { + out = out.Sanitize() + reply.Alloc = out // Re-check namespace in case it differs from request. if !aclObj.AllowClientOp() && !allowNsOp(aclObj, out.Namespace) { return structs.NewErrUnknownAllocation(args.AllocID) diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index c832fab0a82..b3f0e8e4ac2 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -11199,6 +11199,23 @@ func (a *Allocation) GetID() string { return a.ID } +// Sanitize returns a copy of the allocation with the SignedIdentities field +// removed. This is useful for returning allocations to clients where the +// SignedIdentities field is not needed. +func (a *Allocation) Sanitize() *Allocation { + if a == nil { + return nil + } + + if a.SignedIdentities == nil { + return a + } + + clean := a.Copy() + clean.SignedIdentities = nil + return clean +} + // GetNamespace implements the NamespaceGetter interface, required for // pagination and filtering namespaces in endpoints that support glob namespace // requests using tokens with limited access. From 656d87020d7f718fe1185b69b36cb02f52e008bc Mon Sep 17 00:00:00 2001 From: dduzgun-security Date: Mon, 16 Dec 2024 16:11:35 -0500 Subject: [PATCH 2/4] add changelog --- .changelog/24683.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/24683.txt diff --git a/.changelog/24683.txt b/.changelog/24683.txt new file mode 100644 index 00000000000..33d58645ebd --- /dev/null +++ b/.changelog/24683.txt @@ -0,0 +1,3 @@ +```release-note:security +security: sanitizing the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token associated with ACL policies. +``` From 7663f5b638f212dfa03adbc1958d4d12501533cd Mon Sep 17 00:00:00 2001 From: dduzgun-security Date: Mon, 16 Dec 2024 16:14:00 -0500 Subject: [PATCH 3/4] edit changelog --- .changelog/24683.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/24683.txt b/.changelog/24683.txt index 33d58645ebd..ca524959fcb 100644 --- a/.changelog/24683.txt +++ b/.changelog/24683.txt @@ -1,3 +1,3 @@ ```release-note:security -security: sanitizing the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token associated with ACL policies. +security: sanitizing the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. ``` From b26f6a5f2b7951867d6c9e53f0b0ea88ca1c3da4 Mon Sep 17 00:00:00 2001 From: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com> Date: Mon, 16 Dec 2024 16:16:42 -0500 Subject: [PATCH 4/4] Update .changelog/24683.txt Co-authored-by: Tim Gross --- .changelog/24683.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/24683.txt b/.changelog/24683.txt index ca524959fcb..af07d6a99da 100644 --- a/.changelog/24683.txt +++ b/.changelog/24683.txt @@ -1,3 +1,3 @@ ```release-note:security -security: sanitizing the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. +api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. ```