-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
loader: Avoid reading UNC paths by default #6933
loader: Avoid reading UNC paths by default #6933
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this. What do you think, can't we just not handle UNC paths, without an escape hatch? 🤔
loader/loader_test.go
Outdated
|
||
for _, tc := range cases { | ||
t.Run(tc.input, func(t *testing.T) { | ||
os.Unsetenv(readUNCPathEnv) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nit] let's use t.Setenv
loader/loader.go
Outdated
@@ -29,6 +29,8 @@ import ( | |||
"github.com/open-policy-agent/opa/util" | |||
) | |||
|
|||
const readUNCPathEnv = "READ_UNC_PATH" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a huge fan of shadow config via env vars 😅 But if we have to do it, let's prefix this with OPA_
0039f28
to
ebca544
Compare
loader/loader.go
Outdated
|
||
func checkForUNCPath(path string) error { | ||
if isUNC(path) { | ||
return fmt.Errorf("UNC path read is not allowed") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nit] errors.New("...")
or fmt.Errorf("UNC path read is not allowed: %s", path)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
If a UNC path is provided to OPA it won't read it and instead return an error. This applies to paths to load bundles and individual data/policy files. One reason behind blocking UNC paths is they could trigger a NTLMv2 hash leak. For example, if a SMB share is provided, OPA will attempt to open it triggering LLMNR queries which contain the client's NTLMv2 hash which can be cracked using some tools. This could be exploited by a malicious user. Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ebca544
to
e672ba0
Compare
If a UNC path is provided to OPA it won't read it
and instead return an error. This applies to paths
to load bundles and individual data/policy files.
One reason behind blocking UNC paths is they could
trigger a NTLMv2 hash leak. For example, if a SMB share
is provided, OPA will attempt to open it triggering LLMNR
queries which contain the client's NTLMv2 hash which can be cracked
using some tools. This could be exploited by a malicious user.