Escape runtime variables in hooks #810

New Issue

Closed

opened 2024-01-05 17:35:20 +00:00 by kiwiz · 13 comments

kiwiz commented 2024-01-05 17:35:20 +00:00

Copy Link

What I'm trying to do and why

Fire off an alert with an error hook when the borg job fails. The interpolate_context function doesn't escape runtime variables (like output), so shell injection is possible.

Steps to reproduce

Create a hook configuration with any runtime variable that may contain special shell characters (ex: ").

Actual behavior

No response

Expected behavior

The variables are escaped so they can be safely passed into commands

Other notes / implementation ideas

Another option is to pass runtime variables in environment variables.

borgmatic version

1.8.5

borgmatic installation method

Official image

Borg version

1.2.7

Python version

3.11.5

Database version (if applicable)

No response

Operating system and version

No response

### What I'm trying to do and why Fire off an alert with an error hook when the borg job fails. The `interpolate_context` function doesn't escape runtime variables (like `output`), so shell injection is possible. ### Steps to reproduce Create a hook configuration with any runtime variable that may contain special shell characters (ex: `"`). ### Actual behavior _No response_ ### Expected behavior The variables are escaped so they can be safely passed into commands ### Other notes / implementation ideas Another option is to pass runtime variables in environment variables. ### borgmatic version 1.8.5 ### borgmatic installation method Official image ### Borg version 1.2.7 ### Python version 3.11.5 ### Database version (if applicable) _No response_ ### Operating system and version _No response_

witten commented 2024-01-05 18:10:51 +00:00

Owner

Copy Link

Thanks for taking the time to file this! Just to confirm, I assume you're talking about these runtime variables on the command hooks? I agree that escaping them does seem prudent from a security perspective, even if that might technically be a breaking change for some users.

Thanks for taking the time to file this! Just to confirm, I assume you're talking about [these runtime variables](https://torsion.org/borgmatic/docs/how-to/add-preparation-and-cleanup-steps-to-backups/#variable-interpolation) on the command hooks? I agree that escaping them does seem prudent from a security perspective, even if that might technically be a breaking change for some users.

witten added the

bug

security

labels 2024-01-05 18:11:01 +00:00

kiwiz commented 2024-01-05 18:15:51 +00:00

Author

Copy Link

Yep! It should be sufficient to add a call to shlex.quote inside the interpolation logic.

Yep! It should be sufficient to add a call to [`shlex.quote`](https://docs.python.org/3/library/shlex.html#shlex.quote) inside the interpolation logic.

witten commented 2024-01-05 18:16:57 +00:00

Owner

Copy Link

Thanks, I totally forgot about that utility function even though it's already in use elsewhere!

Thanks, I totally forgot about that utility function even though it's already in use elsewhere!

witten referenced this issue from a commit 2024-01-07 18:23:56 +00:00

Prevent various shell injection attacks (#810).

witten commented 2024-01-07 18:24:37 +00:00

Owner

Copy Link

Fixed in main. Will be part of the next release. I also took the opportunity to fix similar shell injection attacks in other parts of the codebase (various database hooks, the borgmatic borg action, constant interpolation into command hooks, etc.).

Thanks again for bringing this to my attention!

Fixed in main. Will be part of the next release. I also took the opportunity to fix similar shell injection attacks in other parts of the codebase (various database hooks, the `borgmatic borg` action, constant interpolation into command hooks, etc.). Thanks again for bringing this to my attention!

witten closed this issue 2024-01-07 18:24:37 +00:00

witten commented 2024-01-21 22:57:18 +00:00

Owner

Copy Link

Released in borgmatic 1.8.7!

Released in borgmatic 1.8.7!

kiwiz commented 2024-01-22 05:19:36 +00:00

Author

Copy Link

Thanks!

Thanks!

👍 1

vilhalmer commented 2024-01-24 00:34:56 +00:00

Copy Link

This was indeed a breaking change for people using the old provided method for running pg_dumpall within a container. I'm ok with changing to a wrapper script (no pg_dump on the host since postgres versioning is awful), but it might be good to leave some sort of reference to the old example in the docs for people who are wondering what happened.

This was indeed a breaking change for people using the old provided method for running pg_dumpall within a container. I'm ok with changing to a wrapper script (no pg_dump on the host since postgres versioning is awful), but it might be good to leave some sort of reference to the old example in the docs for people who are wondering what happened.

witten commented 2024-01-24 05:12:00 +00:00

Owner

Copy Link

Thanks for weighing in, and I apologize for the breakage you encountered. What's the old provided method for running pg_dumpall within a container, and how exactly did it break? The generally recommend way for dumping PostgreSQL database with borgmatic is to use the built-in database hook, although I understand if that doesn't work for all use cases.

Thanks for weighing in, and I apologize for the breakage you encountered. What's the old provided method for running `pg_dumpall` within a container, and how exactly did it break? The generally recommend way for dumping PostgreSQL database with borgmatic is to use the [built-in database hook](https://torsion.org/borgmatic/docs/how-to/backup-your-databases/), although I understand if that doesn't work for all use cases.

vilhalmer commented 2024-01-29 00:52:05 +00:00

Copy Link

Sorry for the delay, this got lost in my inbox. I misremembered the docker exec example as being on the databases doc page, but it's actually on the configuration reference:

# Command to use instead of "pg_dump" or "pg_dumpall".
# This can be used to run a specific pg_dump version
# (e.g., one inside a running container). Defaults to
# "pg_dump" for single database dump or "pg_dumpall" to
# dump all databases.
# pg_dump_command: docker exec my_pg_container pg_dump

Sorry for the delay, this got lost in my inbox. I misremembered the docker exec example as being on the databases doc page, but it's actually on the [configuration reference](https://torsion.org/borgmatic/docs/reference/configuration/): # Command to use instead of "pg_dump" or "pg_dumpall". # This can be used to run a specific pg_dump version # (e.g., one inside a running container). Defaults to # "pg_dump" for single database dump or "pg_dumpall" to # dump all databases. # pg_dump_command: docker exec my_pg_container pg_dump

witten commented 2024-01-29 05:39:46 +00:00

Owner

Copy Link

Hmm, okay, so it looks like as part of this ticket's implementation, the pg_dump_command value is now escaped. Could you describe how that broke things for you and ideally provide the error message or logs for the breakage you're seeing? Thank you!

Hmm, okay, so it looks like as part of this ticket's implementation, the `pg_dump_command` value is now escaped. Could you describe how that broke things for you and ideally provide the error message or logs for the breakage you're seeing? Thank you!

vilhalmer commented 2024-01-29 21:00:42 +00:00

Copy Link

It ends up passing it as a single token to the shell (in my case it's podman, but it shouldn't be any different regardless of command):

Jan 29 20:57:12 compendium borgmatic[98093]: INFO borgbase-databases: Creating archive
Jan 29 20:57:12 compendium borgmatic[98093]: INFO ssh://<snip>.repo.borgbase.com/./repo: Dumping PostgreSQL databases
Jan 29 20:57:14 compendium borgmatic[98093]: INFO Creating archive at "ssh://<snip>.repo.borgbase.com/./repo::compendium-2024-01-29T20:57:12.842636"
Jan 29 20:57:14 compendium borgmatic[98093]: INFO Remote: Storage quota: 87.63 MB out of 10.00 GB used.
Jan 29 20:57:14 compendium borgmatic[98093]: INFO Remote: Storage quota: 87.63 MB out of 10.00 GB used.
Jan 29 20:57:15 compendium borgmatic[98093]: ERROR /bin/sh: line 1: podman exec postgresql pg_dumpall: command not found
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL borgbase-databases: Error running actions for repository
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Command ''podman exec postgresql pg_dumpall' --no-password --clean --if-exists --username postgres > /root/.borgmatic/postgresql_databases/localhost/all' returned non-zero exit status 127.
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL /etc/borgmatic.d/databases.yaml: An error occurred
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL summary:
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL /etc/borgmatic.d/databases.yaml: An error occurred
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL borgbase-databases: Error running actions for repository
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL /bin/sh: line 1: podman exec postgresql pg_dumpall: command not found
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Command ''podman exec postgresql pg_dumpall' --no-password --clean --if-exists --username postgres > /root/.borgmatic/postgresql_databases/localhost/all' returned non-zero exit status 127.
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL
Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues

It ends up passing it as a single token to the shell (in my case it's podman, but it shouldn't be any different regardless of command): Jan 29 20:57:12 compendium borgmatic[98093]: INFO borgbase-databases: Creating archive Jan 29 20:57:12 compendium borgmatic[98093]: INFO ssh://<snip>.repo.borgbase.com/./repo: Dumping PostgreSQL databases Jan 29 20:57:14 compendium borgmatic[98093]: INFO Creating archive at "ssh://<snip>.repo.borgbase.com/./repo::compendium-2024-01-29T20:57:12.842636" Jan 29 20:57:14 compendium borgmatic[98093]: INFO Remote: Storage quota: 87.63 MB out of 10.00 GB used. Jan 29 20:57:14 compendium borgmatic[98093]: INFO Remote: Storage quota: 87.63 MB out of 10.00 GB used. Jan 29 20:57:15 compendium borgmatic[98093]: ERROR /bin/sh: line 1: podman exec postgresql pg_dumpall: command not found Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL borgbase-databases: Error running actions for repository Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Command ''podman exec postgresql pg_dumpall' --no-password --clean --if-exists --username postgres > /root/.borgmatic/postgresql_databases/localhost/all' returned non-zero exit status 127. Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL /etc/borgmatic.d/databases.yaml: An error occurred Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL summary: Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL /etc/borgmatic.d/databases.yaml: An error occurred Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL borgbase-databases: Error running actions for repository Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL /bin/sh: line 1: podman exec postgresql pg_dumpall: command not found Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Command ''podman exec postgresql pg_dumpall' --no-password --clean --if-exists --username postgres > /root/.borgmatic/postgresql_databases/localhost/all' returned non-zero exit status 127. Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Jan 29 20:57:15 compendium borgmatic[98093]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues

witten referenced this issue 2024-01-30 19:03:05 +00:00

Escaping logic in pg_dump_command option breaks on spaces #822

witten commented 2024-01-30 19:03:30 +00:00

Owner

Copy Link

I don't think this is a documentation gap.. It's a straight-up bug! I've filed the issue as a new ticket: #822. Please feel free to follow along there.

I don't think this is a documentation gap.. It's a straight-up bug! I've filed the issue as a new ticket: #822. Please feel free to follow along there.

vilhalmer commented 2024-01-30 19:51:42 +00:00

Copy Link

Thank you!

Thank you!

👍 1

witten referenced this issue 2024-03-08 21:36:14 +00:00

on_error and Apprise causing Borgmatic to fail backups #839

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

spot-check

1.8.10

1.8.9

1.8.8

1.8.7

1.8.6

1.8.5

1.8.4

1.8.3

1.8.2

1.8.1

1.8.0

1.7.15

1.7.14

1.7.13

1.7.12

1.7.11

1.7.10

1.7.9

1.7.8

1.7.7

1.7.6

1.7.5

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.6

1.6.5

1.6.4

1.6.3

1.6.2

1.6.1

1.6.0

1.5.24

1.5.23

1.5.22

1.5.21

1.5.20

1.5.19

1.5.18

1.5.17

1.5.16

1.5.15

1.5.14

1.5.13

1.5.12

1.5.11

1.5.10

1.5.9

1.5.8

1.5.7

1.5.7.dev0

1.5.6

1.5.5

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.22

1.4.21

1.4.20

1.4.19

1.4.18

1.4.17

1.4.16

1.4.15

1.4.14

1.4.13

1.4.12

1.4.11

1.4.10

1.4.9

1.4.8

1.4.7

1.4.6

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.26

1.3.25

1.3.24

1.3.23

1.3.22

1.3.21

1.3.20

1.3.19

1.3.18

1.3.17

1.3.16

1.3.15

1.3.14

1.3.13

1.3.12

1.3.11

1.3.10

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.18

1.2.17

1.2.16

1.2.15

1.2.14

1.2.13

1.2.12

1.2.11

1.2.10

1.2.9

1.2.8

1.2.7

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.15

1.1.14

1.1.13

1.1.12

1.1.11

1.1.10

1.1.9

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.3

1.0.2

1.0.1

1.0.0

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

Labels

Clear labels   

bug

  

data loss

  

design finalized

  

good first issue

  

new feature area

  

question / support

  

security

  

waiting for response

No Label

bug

data loss

design finalized

good first issue

new feature area

question / support

security

waiting for response

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#810

No description provided.