ยซ Changelog History


Concourse v5.0.1 Release Notes

Release Date: 2019-03-25 // about 5 years ago

  • ๐Ÿ”’ ๐Ÿ”— fix, security

    ๐Ÿ›  Fixed a bug when saving wacky versions generated by wacky resource types that let you put wacky arbitrary data in the version.

    โฌ†๏ธ The bug enables limited SQL injection, so we recommend that anyone running 5.0 upgrade to this version as soon as possible. It's a bit concerning that we've ended up with a SQL injection vulnerability in 2019, but this at least appears to be an isolated and easily verifiable case. More on that later.

    Thankfully, this is very difficult and impractical to exploit, and the impact is fairly low despite it being a SQL injection:

    It is only possible to inject a single SELECT query, so there should be no loss of integrity or data.

    The SELECTed value would only be inserted into an internal column which is never exposed to users - it is only used for internal bookkeeping and putting something bogus there will have no effect on the rest of the system.

    This issue only affects resource types that put arbitrary user-specified data into the resource version. This is very unusual - almost all resource types have strict, simple versions (e.g. git refs, version numbers, sha256 digests).

    No core resource types are affected, and most resource types shouldn't be either. The only known resource types that do this are sort of hacky ones that propagate arbitrary data through the pipeline via resource versions.

    How this exploit happened:

    Normally, we use a lightweight framework for constructing queries safely (Masterminds/squirrel), and we always pass all user data as params ($1, $2, etc) so that escaping is never even necessary. In this case however the query was slightly more complicated, so we had to pop open the hood and directly construct a query fragment using sq.Expr.

    Unfortunately the portion that we injected did so by concatenating the resource version JSON into the query fragment. As a result, versions with a single-quote (') in them would break out of the surrounding string and insert their own SQL query. We've changed it to use a param instead, and we've done an audit of all other uses of sq.Expr to verify that they are only ever being given static strings, trivial pre-formatted data, or params.

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿš€ The BOSH release now sets file permissions for its config values as 0600, which fixes Postgres certificate configuration. Thanks for the PR, @flavorjones!

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿš€ The BOSH release now correctly handles array-values for authorized worker keys. Sorry about that!