3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-07 13:22:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: restrict permissions on embedded envoy binary (#1999)

Browse source
This commit is contained in:
Caleb Doxsey 2021-03-19 09:51:14 -06:00 committed by GitHub
parent 23bc3f979f
commit 1febaa82ff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
internal/envoy/embed.go
View file

@ -2,6 +2,7 @@ package envoy
import ( import (
"fmt" "fmt"
"io/fs"
"os" "os"
"path/filepath" "path/filepath"
@ -9,6 +10,8 @@ import (
resources "gopkg.in/cookieo9/resources-go.v2" resources "gopkg.in/cookieo9/resources-go.v2"
) )
const embeddedEnvoyPermissions fs.FileMode = 0o700
var embeddedFilesDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files") var embeddedFilesDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files")
func extractEmbeddedEnvoy() (outPath string, err error) { func extractEmbeddedEnvoy() (outPath string, err error) {
@ -40,7 +43,7 @@ func extractEmbeddedEnvoy() (outPath string, err error) {
if zf, ok := rc.(interface{ FileInfo() os.FileInfo }); ok { if zf, ok := rc.(interface{ FileInfo() os.FileInfo }); ok {
zfi = zf.FileInfo() zfi = zf.FileInfo()
if fi, e := os.Stat(outPath); e == nil { if fi, e := os.Stat(outPath); e == nil {
if fi.Size() == zfi.Size() && fi.ModTime() == zfi.ModTime() { if fi.Size() == zfi.Size() && fi.ModTime() == zfi.ModTime() && zfi.Mode().Perm() == embeddedEnvoyPermissions {
return outPath, nil return outPath, nil
} }
} }
@ -51,7 +54,7 @@ func extractEmbeddedEnvoy() (outPath string, err error) {
return "", fmt.Errorf("error extracting embedded envoy binary to temporary directory (path=%s): %w", outPath, err) return "", fmt.Errorf("error extracting embedded envoy binary to temporary directory (path=%s): %w", outPath, err)
} }
err = os.Chmod(outPath, 0o755) err = os.Chmod(outPath, embeddedEnvoyPermissions)
if err != nil { if err != nil {
return "", fmt.Errorf("error chmoding embedded envoy binary: %w", err) return "", fmt.Errorf("error chmoding embedded envoy binary: %w", err)
} }

2
internal/envoy/envoy.go
View file

@ -73,7 +73,7 @@ type Server struct {
// NewServer creates a new server with traffic routed by envoy. // NewServer creates a new server with traffic routed by envoy.
func NewServer(src config.Source, grpcPort, httpPort string) (*Server, error) { func NewServer(src config.Source, grpcPort, httpPort string) (*Server, error) {
wd := filepath.Join(os.TempDir(), workingDirectoryName) wd := filepath.Join(os.TempDir(), workingDirectoryName)
err := os.MkdirAll(wd, 0o755) err := os.MkdirAll(wd, embeddedEnvoyPermissions)
if err != nil { if err != nil {
return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err) return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
} }