Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Share util functions #598

Merged
merged 6 commits into from
Jul 22, 2022
Merged

feat: Share util functions #598

merged 6 commits into from
Jul 22, 2022

Conversation

laurentsimon
Copy link
Collaborator

@laurentsimon laurentsimon commented Jul 21, 2022
edited
Loading

This PR does 3 things:

  1. Share util functions between builders
  2. Ensure the files we create do not already exist (O_EXCL)
  3. Add sanity checks when downloading an artifact for the non-existence of the file

I started looking into

slsa-github-generator/internal/builders/go/main.go

Line 87 in 0f97cca

err = ioutil.WriteFile(filename, attBytes, 0o600)

and https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/attest.go#L165

Then I realized that a malicious developer can use this function to sign any file present in the generator directory. The reason is that if the file already exists, this function does not return an error and continue silently. Fortunately we don't checkout the developer repository (by design), because it might have allowed the developer to set the path to a file they control.

I think an attacker could only have selected files with .intoto.jsonl extension, so just a few testcase files. I have not tested filenames like some-file\0(to remove the extension in

slsa-github-generator/internal/builders/go/main.go

Line 86 in 0f97cca

filename := fmt.Sprintf("%s.intoto.jsonl", subject)
), but I doubt it would work...

So I created the CreateNewFileUnderCurrentDirectory() function which uses O_EXCL and use it across the 2 existing builders.

Besides these changes, the rest is mostly re-factoring.

@laurentsimon laurentsimon mentioned this pull request Jul 21, 2022
Closed
@ianlewis
Copy link
Member

Thanks, I'll give this a review tomorrow

asraa
asraa reviewed Jul 21, 2022
View reviewed changes
Copy link
Collaborator

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Really minor nits

internal/builders/go/main_test.go Outdated Show resolved Hide resolved
internal/utils/marshall.go Outdated Show resolved Hide resolved
internal/utils/marshall.go Outdated Show resolved Hide resolved
@laurentsimon laurentsimon requested a review from asraa July 21, 2022 18:35
@laurentsimon
Copy link
Collaborator Author

I'll wait for an ack from @ianlewis before merging.

ianlewis
ianlewis approved these changes Jul 22, 2022
View reviewed changes
internal/builders/go/pkg/config.go Outdated Show resolved Hide resolved
internal/utils/path.go Show resolved Hide resolved
@laurentsimon laurentsimon enabled auto-merge (squash) July 22, 2022 01:42
@laurentsimon laurentsimon merged commit 7083535 into slsa-framework:main Jul 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianlewis ianlewis ianlewis approved these changes

@asraa asraa asraa approved these changes

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@laurentsimon @ianlewis @asraa