Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure spawning of child processes are not susceptible to prototype pollution #49605

Closed
watson opened this issue Oct 29, 2019 · 2 comments · Fixed by #55697
Closed

Ensure spawning of child processes are not susceptible to prototype pollution #49605

watson opened this issue Oct 29, 2019 · 2 comments · Fixed by #55697
Assignees
Labels
Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@watson
Copy link
Contributor

watson commented Oct 29, 2019

While there's currently no known prototype pollution gadget in Kibana, if one is found, it might be possible to perform RCE via the child processes being spawned.

Therefore, it's prudent that we harden this attack vector before someone finds a way to utilize it.

We can mitigate this our selves inside of Kibana by ensuring that the arguments passed to the spawn function (and friends) are properly sanitized, eg:

const options = Object.create(null)
options.env = Object.assign(Object.create(null), process.env)
spawn(command, options)

Preferably we should also fix this in Node.js core, so it's harder to fall victim to this sort of attack. I've created a PR to deal with this in Node.js core: nodejs/node#30008

See also the related Node.js core PR to harden process.env in general: nodejs/node#30063

@watson watson added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Hardening Harding of Kibana from a security perspective labels Oct 29, 2019
@watson watson self-assigned this Oct 29, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@kobelb
Copy link
Contributor

kobelb commented Dec 3, 2019

I previously looked into using eslint to restrict usages of child_process.exec because:

Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

However, in my brief exploration I was unable to find a way to restrict this method specifically. We can lint for any code which relies on child_process itself, or any method named exec, but not child_process.exec.

I haven't had the chance to see whether using https://github.com/typescript-eslint/typescript-eslint, which I believe replaces the deprecated tslint project, would allow us to do so.

Otherwise, I feel like we're stuck either monkey-patching away the problematic functions and throwing errors, or blocking modules entirely and requiring the use of our "safe" versions... I don't like any of these options :)

watson added a commit to watson/kibana that referenced this issue Mar 9, 2020
Add general protection against RCE vulnerabilities similar to the one
described in CVE-2019-7609.

Closes elastic#49605
watson added a commit that referenced this issue Mar 10, 2020
Add general protection against RCE vulnerabilities similar to the one
described in CVE-2019-7609.

Closes #49605
watson added a commit that referenced this issue Mar 10, 2020
Add general protection against RCE vulnerabilities similar to the one
described in CVE-2019-7609.

Closes #49605
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants