Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

e2e: fix destination of templates in VaultSecrets test #9146

Merged
merged 1 commit into from
Oct 22, 2020
Merged

e2e: fix destination of templates in VaultSecrets test #9146

merged 1 commit into from
Oct 22, 2020

Conversation

tgross
Copy link
Member

@tgross tgross commented Oct 22, 2020
edited

Fixes #9144

The $NOMAD_SECRETS_DIR environment variable is rendered as /secrets, which
if used as a template.destination prior to the recent security patch would unintentionally
escape the file sandbox and get dropped in a directory named /secrets where the Nomad
client binary was running. The VaultSecrets test was accidentally relying on this
behavior and that causes the test to fail.

This is an easy mistake to make, and makes me worry whether we have a lot of this
behavior "in the wild" and what we could do to improve the UX.

Addendum: in 0.12.5 it doesn't actually escape the file sandbox, but it fails the check in
0.12.6 as though it does. So there may be a bug in the patch 😦 (Going to spin that out to a new issue)

@tgross
e2e: fix destination of templates in VaultSecrets test
661dd4a 
The `$NOMAD_SECRETS_DIR` environment variable is rendered as `/secrets`, which
prior to the recent security patch would unintentionally escape the file
sandbox and get dropped in a directory named `/secrets` where the Nomad client
binary was running. The `VaultSecrets` test was accidentally relying on this
behavior and that causes the test to fail.
@tgross tgross mentioned this pull request Oct 22, 2020
Closed
@tgross
Copy link
Member Author

tgross commented Oct 22, 2020

I've opened #9148 to work out the backwards incompatibility / UX.

@tgross tgross merged commit 8aed53c into master Oct 22, 2020
@tgross tgross deleted the e2e-vault-secrets-placement branch October 22, 2020 17:00
tgross added a commit that referenced this pull request Oct 23, 2020
@tgross
Revert "e2e: fix destination of templates in VaultSecrets test (#9146)"
adb2204 
This reverts commit 8aed53c.
tgross added a commit that referenced this pull request Oct 23, 2020
@tgross
Revert "e2e: fix destination of templates in VaultSecrets test (#9146)…
9e9dac4 
…" (#9163)

This reverts commit 8aed53c.
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cgbaker cgbaker cgbaker approved these changes

@notnoop notnoop Awaiting requested review from notnoop

@schmichael schmichael Awaiting requested review from schmichael

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

E2E: flaky test TestVaultSecrets
2 participants
@tgross @cgbaker