Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secrets for python actions capturable in cleartext using ps -ef | grep action_wrapper #5997

Open
fdrab opened this issue Jul 13, 2023 · 3 comments
Open

secrets for python actions capturable in cleartext using ps -ef | grep action_wrapper #5997

fdrab opened this issue Jul 13, 2023 · 3 comments
Labels
bug enhancement security

Comments

@fdrab
Copy link
Contributor

fdrab commented Jul 13, 2023
edited
Loading

SUMMARY

Python actions leak sensitive data when viewing processes

STACKSTORM VERSION

st2 3.7.0, on Python 3.8.13

OS, environment, install method

RHEL8, instance and mongoDB running on the same DL360 Proliant wtih 16 core / 64G RAM configuration

Steps to reproduce the problem

create sample flow:

name: secret_test
runner_type: python-script
description: secrettest
enabled: true
entry_point: secret_test.py
parameters:
  secret:
    type: string
    description: sample_secret
    required: false
    position: 0
    secret: true

with python script:

from st2common.runners.base_action import Action
import time

class SecretTest(Action):
    def run(self, secret):
        time.sleep(10)
        return(True)

run the flow and do ps -ef | grep action_wrapper:
[user@host ~]$ ps -ef | grep action_wrapper root 1540283 1421574 1 06:17 ? 00:00:00 /opt/stackstorm/virtualenvs/testing/bin/python -u /opt/stackstorm/st2/lib/python3.8/site-packages/python_runner/python_action_wrapper.py --pack=testing --file-path=/opt/stackstorm/internal_packs/testing/actions/secret_test.py --user=fdrab --parent-args=["--config-file","/etc/st2/st2.conf"] --parameters={"secret":"superSecretString"} --log-level=INFO user 1540289 1533819 0 06:17 pts/0 00:00:00 grep --color=auto action_wrapper [user@host ~]$

This leads to secrets being printed to the screen and easily captured even by a non-root user or anyone using ps -ef | grep. Secret is still properly masked in UI and does not appear in the logs.

Expected Results

I'd expect the secret parameters to be provided to the script in a secure way (even though I have no clue how).

Actual Results

secrets printed to console.
@arm4b arm4b added bug security and removed bug labels Jul 24, 2023
@arm4b
Copy link
Member

arm4b commented Jul 24, 2023

That's a good find!

Probably not a bug, but a side effect of using CLI arguments as an input interface.
It's possible to do something with stdin as an implementation, but it will be not a CLI argument then as the idea is that you should be able to run the same python script with the same args outside of stackstorm.

Perhaps it makes sense to document this side effect in the https://docs.stackstorm.com/reference/runners.html when CLI args are used.

@fdrab
Copy link
Contributor Author

fdrab commented Jul 26, 2023

the idea is that you should be able to run the same python script with the same args outside of stackstorm

I would understand this for some scripts, where you convert already existing scripts and adapt them to ST2, but many of the scripts I'm creating are exclusively to be used in the context of ST2 and use st2 client, or for example the SQL pack (or any pack that allows password to be an input) on stackstorm-exchange. Maybe I can work around this by using K8s, where the individual processes run in pods and hopefully what happens in pods is not capturable in trivial way such as ps -ef.
Or I'll rewrite all python actions to simply not use passwords as inputs at all and instead the process would be to pre-store a password / token in the datastore as encrypted value and then fetch the value via action_service.get instead of secrets being provided as CLI params.

@arm4b
Copy link
Member

arm4b commented Jul 26, 2023
edited
Loading

Maybe I can work around this by using K8s, where the individual processes run in pods

I think it could be worse in K8s considering amount of potential neighbours in the cluster and higher blast radius in case of something goes wrong. Add here different logging and metrics K8s capabilities that might read the process list.

Yeah, I agree.

CLI args should still apply to local-shell-script, local-shell-cmd and similar shell/scrips runners. And so one can convert a script.py with CLI args to an action this way.

However considering deeper python logic of python-script actions implemented as Python classes with a run() method, it should ideally rely on stackstorm primitives for passing secrets. Agree 💯 on that.

@fdrab fdrab mentioned this issue Oct 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arm4b @fdrab