envoy: restrict permissions on embedded envoy binary (#1999)

2025-06-06 04:42:56 +02:00 · 2021-03-19 09:51:14 -06:00 · 2021-03-19 09:51:14 -06:00 · 1febaa82ff
commit 1febaa82ff
parent 23bc3f979f
2 changed files with 6 additions and 3 deletions
--- a/internal/envoy/embed.go
+++ b/internal/envoy/embed.go
@ -2,6 +2,7 @@ package envoy

 import (
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"

@ -9,6 +10,8 @@ import (
 	resources "gopkg.in/cookieo9/resources-go.v2"
 )

+const embeddedEnvoyPermissions fs.FileMode = 0o700
+
 var embeddedFilesDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files")

 func extractEmbeddedEnvoy() (outPath string, err error) {
@ -40,7 +43,7 @@ func extractEmbeddedEnvoy() (outPath string, err error) {
 	if zf, ok := rc.(interface{ FileInfo() os.FileInfo }); ok {
 		zfi = zf.FileInfo()
 		if fi, e := os.Stat(outPath); e == nil {
-			if fi.Size() == zfi.Size() && fi.ModTime() == zfi.ModTime() {
+			if fi.Size() == zfi.Size() && fi.ModTime() == zfi.ModTime() && zfi.Mode().Perm() == embeddedEnvoyPermissions {
 				return outPath, nil
 			}
 		}
@ -51,7 +54,7 @@ func extractEmbeddedEnvoy() (outPath string, err error) {
 		return "", fmt.Errorf("error extracting embedded envoy binary to temporary directory (path=%s): %w", outPath, err)
 	}

-	err = os.Chmod(outPath, 0o755)
+	err = os.Chmod(outPath, embeddedEnvoyPermissions)
 	if err != nil {
 		return "", fmt.Errorf("error chmoding embedded envoy binary: %w", err)
 	}
--- a/internal/envoy/envoy.go
+++ b/internal/envoy/envoy.go
@ -73,7 +73,7 @@ type Server struct {
 // NewServer creates a new server with traffic routed by envoy.
 func NewServer(src config.Source, grpcPort, httpPort string) (*Server, error) {
 	wd := filepath.Join(os.TempDir(), workingDirectoryName)
-	err := os.MkdirAll(wd, 0o755)
+	err := os.MkdirAll(wd, embeddedEnvoyPermissions)
 	if err != nil {
 		return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
 	}