luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-nomad/client
History
Michael Schurter 2965dc6a1a
artifact: fix numerous go-getter security issues 
Fix numerous go-getter security issues:

- Add timeouts to http, git, and hg operations to prevent DoS
- Add size limit to http to prevent resource exhaustion
- Disable following symlinks in both artifacts and `job run`
- Stop performing initial HEAD request to avoid file corruption on
  retries and DoS opportunities.

**Approach**

Since Nomad has no ability to differentiate a DoS-via-large-artifact vs
a legitimate workload, all of the new limits are configurable at the
client agent level.

The max size of HTTP downloads is also exposed as a node attribute so
that if some workloads have large artifacts they can specify a high
limit in their jobspecs.

In the future all of this plumbing could be extended to enable/disable
specific getters or artifact downloading entirely on a per-node basis.
 		2022-05-24 16:29:39 -04:00
..
allocdir test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
allochealth Merge branch 'main' into f-1.3-boogie-nights 2022-03-23 09:41:25 +01:00
allocrunner artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
allocwatcher test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
config artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
consul Merge branch 'main' into f-1.3-boogie-nights 2022-03-23 09:41:25 +01:00
devicemanager ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
dynamicplugins fix data race in dynamic plugin registry tests (#12554) 2022-04-14 14:55:56 -04:00
fingerprint build: update ec2 instance profiles 2022-04-21 11:47:40 -05:00
interfaces artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
lib test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
logmon test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
pluginmanager test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
servers feat: remove dependency to consul/lib 2022-04-09 13:22:44 +02:00
serviceregistration services: cr followup 2022-04-22 09:14:29 -05:00
state test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
stats ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
structs ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
taskenv services: cr followup 2022-04-22 09:14:29 -05:00
testutil client: cgroups v2 code review followup 2022-03-24 13:40:42 -05:00
vaultclient ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
acl.go Audit config, seams for enterprise audit features 2020-03-23 13:47:42 -04:00
acl_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
agent_endpoint.go json handles were moved to a new package in #10202 2021-04-02 13:31:10 +00:00
agent_endpoint_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
alloc_endpoint.go client: fix multiple imports (#10537) 2021-05-13 14:30:31 -04:00
alloc_endpoint_test.go client: enable support for cgroups v2 2022-03-23 11:35:27 -05:00
alloc_watcher_e2e_test.go job_hooks: add implicit constraint when using Consul for services. (#12602) 2022-04-20 14:09:13 +02:00
client.go artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
client_stats_endpoint.go Server side impl + touch ups 2018-02-15 13:59:02 -08:00
client_stats_endpoint_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
client_test.go test: use `T.TempDir` to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
csi_endpoint.go CSI: allow updates to volumes on re-registration (#12167) 2022-03-07 11:06:59 -05:00
csi_endpoint_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
driver_manager_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
enterprise_client_oss.go gofmt all the files 2021-10-01 10:14:28 -04:00
fingerprint_manager.go chore: fixup inconsistent method receiver names. (#11704) 2021-12-20 11:44:21 +01:00
fingerprint_manager_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
fs_endpoint.go Fix log streaming missing frames (#11721) 2022-01-04 14:07:16 -05:00
fs_endpoint_test.go raw_exec: make raw exec driver work with cgroups v2 2022-04-04 16:11:38 -05:00
gc.go chore: fix incorrect docstring formatting. 2021-08-30 11:08:12 +02:00
gc_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
heartbeatstop.go Delayed evaluations for `stop_after_client_disconnect` can cause unwanted extra followup evaluations around job garbage collection (#8099) 2020-06-03 09:48:38 -04:00
heartbeatstop_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
node_updater.go client: use NewNodeEvent builder for consistency (#7559) 2020-03-31 10:02:16 -04:00
rpc.go fix: use NewSafeTimer 2022-04-11 19:37:14 +02:00
rpc_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
testing.go client: refactor common service registration objects from Consul. 2022-03-15 09:38:30 +01:00
util.go Revert "client: defensive against getting stale alloc updates" 2020-06-19 15:39:44 -04:00