From 1febaa82ffba33185c110315cbab1263821f6d6b Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Fri, 19 Mar 2021 09:51:14 -0600
Subject: [PATCH] envoy: restrict permissions on embedded envoy binary (#1999)

---
 internal/envoy/embed.go | 7 +++++--
 internal/envoy/envoy.go | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/envoy/embed.go b/internal/envoy/embed.go
index 10c159e32..36a357246 100644
--- a/internal/envoy/embed.go
+++ b/internal/envoy/embed.go
@@ -2,6 +2,7 @@ package envoy
 
 import (
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 
@@ -9,6 +10,8 @@ import (
 	resources "gopkg.in/cookieo9/resources-go.v2"
 )
 
+const embeddedEnvoyPermissions fs.FileMode = 0o700
+
 var embeddedFilesDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files")
 
 func extractEmbeddedEnvoy() (outPath string, err error) {
@@ -40,7 +43,7 @@ func extractEmbeddedEnvoy() (outPath string, err error) {
 	if zf, ok := rc.(interface{ FileInfo() os.FileInfo }); ok {
 		zfi = zf.FileInfo()
 		if fi, e := os.Stat(outPath); e == nil {
-			if fi.Size() == zfi.Size() && fi.ModTime() == zfi.ModTime() {
+			if fi.Size() == zfi.Size() && fi.ModTime() == zfi.ModTime() && zfi.Mode().Perm() == embeddedEnvoyPermissions {
 				return outPath, nil
 			}
 		}
@@ -51,7 +54,7 @@ func extractEmbeddedEnvoy() (outPath string, err error) {
 		return "", fmt.Errorf("error extracting embedded envoy binary to temporary directory (path=%s): %w", outPath, err)
 	}
 
-	err = os.Chmod(outPath, 0o755)
+	err = os.Chmod(outPath, embeddedEnvoyPermissions)
 	if err != nil {
 		return "", fmt.Errorf("error chmoding embedded envoy binary: %w", err)
 	}
diff --git a/internal/envoy/envoy.go b/internal/envoy/envoy.go
index 64b4de56a..4a3a64a76 100644
--- a/internal/envoy/envoy.go
+++ b/internal/envoy/envoy.go
@@ -73,7 +73,7 @@ type Server struct {
 // NewServer creates a new server with traffic routed by envoy.
 func NewServer(src config.Source, grpcPort, httpPort string) (*Server, error) {
 	wd := filepath.Join(os.TempDir(), workingDirectoryName)
-	err := os.MkdirAll(wd, 0o755)
+	err := os.MkdirAll(wd, embeddedEnvoyPermissions)
 	if err != nil {
 		return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
 	}