Harden creation of child processes #55697
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
watson
added
v8.0.0
release_note:skip
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
jportner
reviewed
Jan 27, 2020
There was a problem hiding this comment.
I still want to play around with this, but some initial feedback:
- This hardening is pretty important, can we add some unit tests to verify it's working as intended? This will also help with maintainability for others who may not be well-versed in this topic.
- What do you think about updating the Codeowners file to tag the Security team as a joint co-owner of the
src/setup_node_envdirectory?
|
Okay, I tested this out and it looks great so far! Two more questions:
require('../src/setup_node_env');
const { create, ObjectPrototype } = require('object-prototype');
const obj1 = process.env;
const obj2 = {};
console.log(Object.prototype.isPrototypeOf(obj1)); // expected: false, actual: true
console.log(ObjectPrototype.isPrototypeOf(obj1)); // expected: true, actual: false
console.log(Object.prototype.isPrototypeOf(obj2)); // expected: true, actual: true
console.log(ObjectPrototype.isPrototypeOf(obj2)); // expected: false, actual: false
Object.prototype.foo = 42;
console.log(obj1.foo); // expected: undefined, actual: 42
console.log(obj2.foo); // expected: 42, actual: 42 |
|
@jportner Good catch! I found the bug and pushed a fix. This just shows the importance of tests, so as you suggested, I'll add some and push again. |
|
@elasticmachine merge upstream |
|
ACK: reviewing! |
kobelb
reviewed
Jan 29, 2020
There was a problem hiding this comment.
I'm not overly fond of us splitting up this logic into two external node packages: object-prototype and object-prototype-functions.
In general, we've refrained from creating external repos and packages until there was a reason to do so. And when that time came, they've generally resided under the elastic organization. While I do see the merit in allowing others to benefit from the same approach that Kibana is taking to harden itself, it feels like we're doing so prematurely. I'd prefer we move this code to be within the Kibana repo until it's more mature and we deem it beneficial to make a separate package.
|
@elasticmachine merge upstream |
1 similar comment
|
@elasticmachine merge upstream |
|
The results of the new tests: https://github.com/elastic/kibana/pull/55697/checks?check_run_id=423032610 |
|
ACK: will re-review first thing tomorrow |
kobelb
reviewed
Feb 5, 2020
kobelb
reviewed
Feb 6, 2020
kobelb
reviewed
Feb 6, 2020
watson
force-pushed
the
harden-child-processes
branch
from
a723959 to
71179eb
Compare
watson
commented
Feb 11, 2020
watson
force-pushed
the
harden-child-processes
branch
from
1595110 to
fe9c952
Compare
watson
commented
Feb 24, 2020
watson
commented
Feb 24, 2020
watson
commented
Feb 24, 2020
Add general protection against RCE vulnerabilities similar to the one described in CVE-2019-7609. Closes elastic#49605
watson
force-pushed
the
harden-child-processes
branch
from
57c39fd to
7ec6fe3
Compare
legrego
approved these changes
Mar 9, 2020
Co-Authored-By: Larry Gregory <lgregorydev@gmail.com>
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
mistic
reviewed
Mar 9, 2020
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Mar 10, 2020
* master: (22 commits) Generate docs from data plugin (elastic#56955) Fixes elastic#59513 by hiding one of the symmetric edges rather than omiting it (elastic#59514) Harden creation of child processes (elastic#55697) [Alerting] replace watcher http APIs used by index threshold Alerting (elastic#59475) [Maps][docs] add more details to Quantitative data driven styling docs (elastic#59553) chore: 🤖 hide Drilldowns in master (elastic#59698) [Discover] Migrate AppState/GlobalState to new app state helpers (elastic#57175) Use HTTP request schemas to create types, use those types in the client (elastic#59340) [Maps] Support categorical styling for numbers and dates (elastic#57908) [ML] Functional API tests - bucket span estimation with custom search.max_buckets (elastic#59665) Fix slm_ui setting by changing camel case back to snake case. (elastic#59663) removes beta tag (elastic#59618) [DOCS] Removed spatial references (elastic#59595) fix outdated docs (elastic#58729) [ML] Fixes bucket span estimators loading of max_buckets setting (elastic#59639) [ML] Refactoring anomaly detector job types (elastic#59556) [Upgrade Assistant] Better handling of closed indices (elastic#58890) additional visualizations plugin cleanup before moving to NP (elastic#59318) In scripted fields, unable to switch the `Type` - getting a console error which says - Class constructor DecoratedFieldFormat cannot be invoked without 'new' (elastic#59285) [Visualize] Remove global state in visualize (elastic#58352) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Mar 10, 2020
…s/kibana into alerting/fix-flaky-instance-test * 'alerting/fix-flaky-instance-test' of github.com:gmmorris/kibana: (176 commits) Generate docs from data plugin (elastic#56955) Fixes elastic#59513 by hiding one of the symmetric edges rather than omiting it (elastic#59514) Harden creation of child processes (elastic#55697) [Alerting] replace watcher http APIs used by index threshold Alerting (elastic#59475) [Maps][docs] add more details to Quantitative data driven styling docs (elastic#59553) chore: 🤖 hide Drilldowns in master (elastic#59698) [Discover] Migrate AppState/GlobalState to new app state helpers (elastic#57175) Use HTTP request schemas to create types, use those types in the client (elastic#59340) [Maps] Support categorical styling for numbers and dates (elastic#57908) [ML] Functional API tests - bucket span estimation with custom search.max_buckets (elastic#59665) Fix slm_ui setting by changing camel case back to snake case. (elastic#59663) removes beta tag (elastic#59618) [DOCS] Removed spatial references (elastic#59595) fix outdated docs (elastic#58729) [ML] Fixes bucket span estimators loading of max_buckets setting (elastic#59639) [ML] Refactoring anomaly detector job types (elastic#59556) [Upgrade Assistant] Better handling of closed indices (elastic#58890) additional visualizations plugin cleanup before moving to NP (elastic#59318) In scripted fields, unable to switch the `Type` - getting a console error which says - Class constructor DecoratedFieldFormat cannot be invoked without 'new' (elastic#59285) [Visualize] Remove global state in visualize (elastic#58352) ...
watson
added a commit
that referenced
this pull request
Mar 10, 2020
Add general protection against RCE vulnerabilities similar to the one described in CVE-2019-7609. Closes #49605
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add general protection against RCE vulnerabilities similar to the one described in CVE-2019-7609.
Unfortunately, our normal testing framework Jest, changes the behavior of
process.envin a way so that we can't test that our patches works as expected. We, therefore, have to introduce another testing framework in this PR that we can use to test our hardening functionality. I've chosen tape because it's very simple, is widely used in the Node.js community, and doesn't add any magic to the environment.Closes #49605