Concourse v5.0.1 Release Notes
Release Date: 2019-03-25 // about 5 years ago-
๐ ๐ fix, security
๐ Fixed a bug when saving wacky versions generated by wacky resource types that let you put wacky arbitrary data in the version.
โฌ๏ธ The bug enables limited SQL injection, so we recommend that anyone running 5.0 upgrade to this version as soon as possible. It's a bit concerning that we've ended up with a SQL injection vulnerability in 2019, but this at least appears to be an isolated and easily verifiable case. More on that later.
Thankfully, this is very difficult and impractical to exploit, and the impact is fairly low despite it being a SQL injection:
It is only possible to inject a single
SELECT
query, so there should be no loss of integrity or data.The
SELECT
ed value would only be inserted into an internal column which is never exposed to users - it is only used for internal bookkeeping and putting something bogus there will have no effect on the rest of the system.This issue only affects resource types that put arbitrary user-specified data into the resource version. This is very unusual - almost all resource types have strict, simple versions (e.g.
git
refs, version numbers, sha256 digests).No core resource types are affected, and most resource types shouldn't be either. The only known resource types that do this are sort of hacky ones that propagate arbitrary data through the pipeline via resource versions.
How this exploit happened:
Normally, we use a lightweight framework for constructing queries safely (
Masterminds/squirrel
), and we always pass all user data as params ($1
,$2
, etc) so that escaping is never even necessary. In this case however the query was slightly more complicated, so we had to pop open the hood and directly construct a query fragment usingsq.Expr
.Unfortunately the portion that we injected did so by concatenating the resource version JSON into the query fragment. As a result, versions with a single-quote (
'
) in them would break out of the surrounding string and insert their own SQL query. We've changed it to use a param instead, and we've done an audit of all other uses ofsq.Expr
to verify that they are only ever being given static strings, trivial pre-formatted data, or params.๐ฑ ๐ fix
- ๐ The BOSH release now sets file permissions for its config values as
0600
, which fixes Postgres certificate configuration. Thanks for the PR, @flavorjones!
๐ฑ ๐ fix
- ๐ The BOSH release now correctly handles array-values for authorized worker keys. Sorry about that!
- ๐ The BOSH release now sets file permissions for its config values as