Escape runtime variables in hooks #810
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#810
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
Fire off an alert with an error hook when the borg job fails. The
interpolate_context
function doesn't escape runtime variables (likeoutput
), so shell injection is possible.Steps to reproduce
Create a hook configuration with any runtime variable that may contain special shell characters (ex:
"
).Actual behavior
No response
Expected behavior
The variables are escaped so they can be safely passed into commands
Other notes / implementation ideas
Another option is to pass runtime variables in environment variables.
borgmatic version
1.8.5
borgmatic installation method
Official image
Borg version
1.2.7
Python version
3.11.5
Database version (if applicable)
No response
Operating system and version
No response
Thanks for taking the time to file this! Just to confirm, I assume you're talking about these runtime variables on the command hooks? I agree that escaping them does seem prudent from a security perspective, even if that might technically be a breaking change for some users.
Yep! It should be sufficient to add a call to
shlex.quote
inside the interpolation logic.Thanks, I totally forgot about that utility function even though it's already in use elsewhere!
Fixed in main. Will be part of the next release. I also took the opportunity to fix similar shell injection attacks in other parts of the codebase (various database hooks, the
borgmatic borg
action, constant interpolation into command hooks, etc.).Thanks again for bringing this to my attention!
Released in borgmatic 1.8.7!
Thanks!
This was indeed a breaking change for people using the old provided method for running pg_dumpall within a container. I'm ok with changing to a wrapper script (no pg_dump on the host since postgres versioning is awful), but it might be good to leave some sort of reference to the old example in the docs for people who are wondering what happened.
Thanks for weighing in, and I apologize for the breakage you encountered. What's the old provided method for running
pg_dumpall
within a container, and how exactly did it break? The generally recommend way for dumping PostgreSQL database with borgmatic is to use the built-in database hook, although I understand if that doesn't work for all use cases.Sorry for the delay, this got lost in my inbox. I misremembered the docker exec example as being on the databases doc page, but it's actually on the configuration reference:
Hmm, okay, so it looks like as part of this ticket's implementation, the
pg_dump_command
value is now escaped. Could you describe how that broke things for you and ideally provide the error message or logs for the breakage you're seeing? Thank you!It ends up passing it as a single token to the shell (in my case it's podman, but it shouldn't be any different regardless of command):
I don't think this is a documentation gap.. It's a straight-up bug! I've filed the issue as a new ticket: #822. Please feel free to follow along there.
Thank you!