-
Notifications
You must be signed in to change notification settings - Fork 1.6k
PVF worker: Prevent access to env vars #7330
PVF worker: Prevent access to env vars #7330
Conversation
node/core/pvf/common/src/worker.rs
Outdated
// Delete env vars to prevent malicious code from accessing them. | ||
for (key, _) in std::env::vars() { | ||
std::env::remove_var(key); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should just not inherit any env variables when starting the worker: https://doc.rust-lang.org/std/process/struct.Command.html#method.env_clear
(But we should still forward RUST_LOG
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, I didn't think of RUST_LOG
. There's still an env var present with this method:
Jun 04 16:34:24.259 WARN parachain::pvf-prepare-worker: Unexpected env var found. key="__CF_USER_TEXT_ENCODING"
Not a blocker, just weird. Your method is still better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm I don't know what that env var is but maybe we should still clear it on the child-side as it can be a source of randomness for attackers. 🤷♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
__CF_USER_TEXT_ENCODING
this is some macos env variable, not sure why it still appears..
I think it's required:Mac: What's ~/.CFUserTextEncoding for?superuser.comI don't know, I would clear the env vars child-side to make sure we get everything. Sent from my iPhoneOn 4 Jun 2023, at 17:00, Bastian Köcher ***@***.***> wrote:
@bkchr commented on this pull request.
In node/core/pvf/common/src/worker.rs:
+ // Delete env vars to prevent malicious code from accessing them.
+ for (key, _) in std::env::vars() {
+ std::env::remove_var(key);
+ }
…__CF_USER_TEXT_ENCODING this is some macos env variable, not sure why it still appears..
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were assigned.Message ID: ***@***.***>
|
Clearing env vars with the `std::process::Command` API didn't get everything on Mac, namely `__CF_USER_TEXT_ENCODING` was still present. While we don't support Mac itself as a secure system, the same issue could exist on some Linux systems either now or in the future. So it is better to just clear it on the child-side and not worry about it. We may not use the `Command` API in the future, anyway: https://github.com/paritytech/polkadot/issues/4721
@@ -128,6 +128,16 @@ pub fn worker_event_loop<F, Fut>( | |||
} | |||
} | |||
|
|||
// Delete all env vars to prevent malicious code from accessing them. | |||
for (key, _) in std::env::vars() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for (key, _) in std::env::vars() { | |
for (key, _) in std::env::vars_os() { |
It should be safer to use vars_os
iterator as vars
may panic on invalid UTF8.
// TODO: *theoretically* the value (or mere presence) of `RUST_LOG` can be a source of | ||
// randomness for malicious code. In the future we can remove it also and log in the host; | ||
// see <https://github.com/paritytech/polkadot/issues/7117>. | ||
if key != "RUST_LOG" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If key
would be OsStr
then this comparision should also be adjusted.
// see <https://github.com/paritytech/polkadot/issues/7117>. | ||
if key != "RUST_LOG" { | ||
std::env::remove_var(key); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more thing: should we remove PATH
or maybe it is better to set it to some standard value?
- Fixes possible panic due to non-UTF-8 env vars (#7330 (comment)) - Very small refactor of some duplicated code
* PVF worker: random fixes - Fixes possible panic due to non-UTF-8 env vars (#7330 (comment)) - Very small refactor of some duplicated code * Don't need `to_str()` for comparison between OsString and str * Check edge cases that can cause env::remove_var to panic In case of a key or value that would cause env::remove_var to panic, we first log a warning and then proceed to attempt to remove the env var. * Make warning message clearer for end users * Backslash was unescaped, but can just remove it from error messages
Removes any env vars accessible from the spawned worker process.
TODO
Related
Closes #7326.