heierbtc/citadel-core
1
0
Fork 0
forked from michael.heier/citadel-core
Code Issues Pull Requests Projects Releases Wiki Activity

Additional security for the app system

Browse Source
This commit is contained in:
Aaron Dewes 2021-11-26 18:35:55 +00:00
parent a8d993b655
commit 99452a3f60
2 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/app-standard-v1.json
View File

@ -125,7 +125,7 @@
"description": "If this is the main container, the port inside the container which will be exposed to the outside as the port specified in metadata." "description": "If this is the main container, the port inside the container which will be exposed to the outside as the port specified in metadata."
}, },
"environment": { "environment": {
"type": ["object", "array"] "type": "object"
}, },
"data": { "data": {
"type": "array", "type": "array",

28
app/lib/composegenerator/shared/env.py
View File

@ -3,6 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
import re import re
from typing import Union
from lib.composegenerator.v1.types import App from lib.composegenerator.v1.types import App
from lib.composegenerator.shared.const import always_allowed_env from lib.composegenerator.shared.const import always_allowed_env
from lib.citadelutils import checkArrayContainsAllElements, getEnvVars from lib.citadelutils import checkArrayContainsAllElements, getEnvVars
@ -23,6 +24,18 @@ def validateEnvByValue(env: list, allowed: list, app_name: str):
return False return False
return True return True
def validateEnvStringOrListorDict(env: Union[str, Union[list, dict]], existingEnv: list, app_name: str, container_name: str):
envList = []
if isinstance(env, dict):
envList = env.values()
elif isinstance(env, list):
envList = env
elif isinstance(env, str):
envList = [env]
for envVar in envList:
if not validateEnvByValue(getEnvVars(envVar), existingEnv, app_name):
raise Exception("Env var {} not defined for container {} of app {}".format(envVar, container_name, app_name))
def validateEnv(app: App): def validateEnv(app: App):
# For every container of the app, check if all env vars in the strings in environment are defined in env # For every container of the app, check if all env vars in the strings in environment are defined in env
@ -33,15 +46,6 @@ def validateEnv(app: App):
del container.environment_allow del container.environment_allow
else: else:
existingEnv = [] existingEnv = []
# The next step depends on the type of the environment object, which is either a list or dict validateEnvStringOrListorDict(container.command, existingEnv, app.metadata.id, container.name)
# If it's a list, split every string in it by the first=, then run getEnvVars(envVarValue) on it validateEnvStringOrListorDict(container.entrypoint, existingEnv, app.metadata.id, container.name)
# ON a dict, run getEnvVars(envVarValue) on every value of the environment object validateEnvStringOrListorDict(container.environment, existingEnv, app.metadata.id, container.name)
# Then check if all env vars returned by getEnvVars are defined in env
if isinstance(container.environment, list):
raise Exception("List env vars are no longer supported for container {} of app {}".format(
container.name, app.metadata.name))
elif isinstance(container.environment, dict):
for envVar in container.environment.values():
if not validateEnvByValue(getEnvVars(envVar), existingEnv, app.metadata.id):
raise Exception("Env vars not defined for container {} of app {}".format(
container.name, app.metadata.name))