Skip to content

fix: Gate linkDevice host override behind env var#605

Open
dz0ny wants to merge 1 commit into
mainfrom
fix/restrict-host-override
Open

fix: Gate linkDevice host override behind env var#605
dz0ny wants to merge 1 commit into
mainfrom
fix/restrict-host-override

Conversation

@dz0ny

@dz0ny dz0ny commented Jul 6, 2026

Copy link
Copy Markdown
Member

The link command accepted an arbitrary host query parameter from
paretosecurity://linkDevice URLs and used it directly as the team
API endpoint, with no validation. A crafted link could redirect
device enrollment and report traffic to an attacker-controlled
server.

Ignore the host override unless PARETO_ALLOW_HOST_OVERRIDE is set;
otherwise always enroll against the production Pareto Cloud API.

Also:

  • add tests covering the default-ignored and opted-in paths

Refs https://github.com/teamniteo/pareto/issues/863

The link command accepted an arbitrary host query parameter from
paretosecurity://linkDevice URLs and used it directly as the team
API endpoint, with no validation. A crafted link could redirect
device enrollment and report traffic to an attacker-controlled
server.

Ignore the host override unless PARETO_ALLOW_HOST_OVERRIDE is set;
otherwise always enroll against the production Pareto Cloud API.

Also:
- add tests covering the default-ignored and opted-in paths

Refs teamniteo/pareto#863
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🚀 Dev Builds Available

Development builds for this PR are available in the workflow artifacts.

Available builds:

  • Windows (agent, installer, tray)
  • Linux (agent)
  • macOS (agent)

Download the build artifact to test the latest changes.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/ParetoSecurity/agent/cmd 39.02% (+1.52%) 👍
Total 53.86%

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/ParetoSecurity/agent/cmd/link.go 63.46% (+3.89%) 52 (+5) 33 (+5) 19 👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

  • github.com/ParetoSecurity/agent/cmd/link_test.go

@dz0ny dz0ny marked this pull request as ready for review July 6, 2026 13:21
Copilot AI review requested due to automatic review settings July 6, 2026 13:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Gates the host query parameter from paretosecurity://linkDevice URLs behind an explicit env-var opt-in to prevent enrollment/reporting traffic from being redirected to attacker-controlled endpoints.

Changes:

  • Add PARETO_ALLOW_HOST_OVERRIDE gating so host overrides are ignored by default in the CLI link flow.
  • Add unit tests covering the default-ignore and opted-in host override behaviors.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
cmd/link.go Adds env-var gating for honoring host overrides during device enrollment.
cmd/link_test.go Adds tests for host override being ignored by default vs allowed when opted in.

Comment thread cmd/link.go
Comment on lines +68 to +73
// Only honor an explicit host override when opted in via env var; otherwise
// always enroll against the production Pareto Cloud API.
if host != "" && !hostOverrideAllowed() {
log.Warnf("ignoring host override from link URL; set %s=1 to allow it", allowHostOverrideEnv)
host = ""
}
Comment thread cmd/link.go
Comment on lines +18 to +25
// host is untrusted input from an external URL; require explicit opt-in before trusting it.
// https://github.com/teamniteo/pareto/issues/863
const allowHostOverrideEnv = "PARETO_ALLOW_HOST_OVERRIDE"

func hostOverrideAllowed() bool {
allowed, _ := strconv.ParseBool(os.Getenv(allowHostOverrideEnv))
return allowed
}
Comment thread cmd/link_test.go
Comment on lines +120 to +123
os.Unsetenv(allowHostOverrideEnv)

err := runLinkCommand("paretosecurity://linkDevice?invite_id=test-invite-123&host=https://attacker.example.com")
assert.NoError(t, err)
Comment thread cmd/link_test.go
Comment on lines +138 to +139
os.Setenv(allowHostOverrideEnv, "1")
defer os.Unsetenv(allowHostOverrideEnv)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants