Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

PVF worker: Prevent access to env vars #7330

Merged
merged 5 commits into from
Aug 21, 2023

Conversation

mrcnski
Copy link
Contributor

@mrcnski mrcnski commented Jun 4, 2023

Removes any env vars accessible from the spawned worker process.

TODO

Related

Closes #7326.

@mrcnski mrcnski added A0-please_review Pull request needs code review. B0-silent Changes should not be mentioned in any release notes C1-low PR touches the given topic and has a low impact on builders. D3-trivial 🧸 PR contains trivial changes in a runtime directory that do not require an audit. T4-parachains_engineering This PR/Issue is related to Parachains performance, stability, maintenance. labels Jun 4, 2023
@mrcnski mrcnski self-assigned this Jun 4, 2023
Comment on lines 104 to 107
// Delete env vars to prevent malicious code from accessing them.
for (key, _) in std::env::vars() {
std::env::remove_var(key);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should just not inherit any env variables when starting the worker: https://doc.rust-lang.org/std/process/struct.Command.html#method.env_clear

(But we should still forward RUST_LOG)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I didn't think of RUST_LOG. There's still an env var present with this method:

Jun 04 16:34:24.259  WARN parachain::pvf-prepare-worker: Unexpected env var found. key="__CF_USER_TEXT_ENCODING"

Not a blocker, just weird. Your method is still better.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I don't know what that env var is but maybe we should still clear it on the child-side as it can be a source of randomness for attackers. 🤷‍♂️

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

__CF_USER_TEXT_ENCODING this is some macos env variable, not sure why it still appears..

@mrcnski
Copy link
Contributor Author

mrcnski commented Jun 4, 2023 via email

Clearing env vars with the `std::process::Command` API didn't get everything on
Mac, namely `__CF_USER_TEXT_ENCODING` was still present. While we don't support
Mac itself as a secure system, the same issue could exist on some Linux systems
either now or in the future. So it is better to just clear it on the child-side
and not worry about it. We may not use the `Command` API in the future, anyway:
https://github.com/paritytech/polkadot/issues/4721
@mrcnski mrcnski requested a review from bkchr August 6, 2023 14:54
@mrcnski mrcnski requested a review from alindima August 8, 2023 09:04
@mrcnski mrcnski merged commit 903cef2 into master Aug 21, 2023
6 checks passed
@mrcnski mrcnski deleted the mrcnski/pvf-worker-prevent-access-to-env-vars branch August 21, 2023 13:18
@@ -128,6 +128,16 @@ pub fn worker_event_loop<F, Fut>(
}
}

// Delete all env vars to prevent malicious code from accessing them.
for (key, _) in std::env::vars() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for (key, _) in std::env::vars() {
for (key, _) in std::env::vars_os() {

It should be safer to use vars_os iterator as vars may panic on invalid UTF8.

// TODO: *theoretically* the value (or mere presence) of `RUST_LOG` can be a source of
// randomness for malicious code. In the future we can remove it also and log in the host;
// see <https://github.com/paritytech/polkadot/issues/7117>.
if key != "RUST_LOG" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If key would be OsStr then this comparision should also be adjusted.

// see <https://github.com/paritytech/polkadot/issues/7117>.
if key != "RUST_LOG" {
std::env::remove_var(key);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thing: should we remove PATH or maybe it is better to set it to some standard value?

mrcnski added a commit that referenced this pull request Aug 21, 2023
- Fixes possible panic due to non-UTF-8 env vars
  (#7330 (comment))
- Very small refactor of some duplicated code
paritytech-processbot bot pushed a commit that referenced this pull request Aug 21, 2023
* PVF worker: random fixes

- Fixes possible panic due to non-UTF-8 env vars
  (#7330 (comment))
- Very small refactor of some duplicated code

* Don't need `to_str()` for comparison between OsString and str

* Check edge cases that can cause env::remove_var to panic

In case of a key or value that would cause env::remove_var to panic, we first
log a warning and then proceed to attempt to remove the env var.

* Make warning message clearer for end users

* Backslash was unescaped, but can just remove it from error messages
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A0-please_review Pull request needs code review. B0-silent Changes should not be mentioned in any release notes C1-low PR touches the given topic and has a low impact on builders. D3-trivial 🧸 PR contains trivial changes in a runtime directory that do not require an audit. T4-parachains_engineering This PR/Issue is related to Parachains performance, stability, maintenance.
Projects
No open projects
Development

Successfully merging this pull request may close these issues.

PVF worker: restrict access to env vars
5 participants