2965dc6a1a
Fix numerous go-getter security issues: - Add timeouts to http, git, and hg operations to prevent DoS - Add size limit to http to prevent resource exhaustion - Disable following symlinks in both artifacts and `job run` - Stop performing initial HEAD request to avoid file corruption on retries and DoS opportunities. **Approach** Since Nomad has no ability to differentiate a DoS-via-large-artifact vs a legitimate workload, all of the new limits are configurable at the client agent level. The max size of HTTP downloads is also exposed as a node attribute so that if some workloads have large artifacts they can specify a high limit in their jobspecs. In the future all of this plumbing could be extended to enable/disable specific getters or artifact downloading entirely on a per-node basis. |
||
|---|---|---|
| .. | ||
| acl.mdx | ||
| audit.mdx | ||
| autopilot.mdx | ||
| client.mdx | ||
| consul.mdx | ||
| index.mdx | ||
| plugin.mdx | ||
| search.mdx | ||
| sentinel.mdx | ||
| server.mdx | ||
| server_join.mdx | ||
| telemetry.mdx | ||
| tls.mdx | ||
| ui.mdx | ||
| vault.mdx | ||