fix: Gate linkDevice host override behind env var#605
Open
dz0ny wants to merge 1 commit into
Open
Conversation
The link command accepted an arbitrary host query parameter from paretosecurity://linkDevice URLs and used it directly as the team API endpoint, with no validation. A crafted link could redirect device enrollment and report traffic to an attacker-controlled server. Ignore the host override unless PARETO_ALLOW_HOST_OVERRIDE is set; otherwise always enroll against the production Pareto Cloud API. Also: - add tests covering the default-ignored and opted-in paths Refs teamniteo/pareto#863
🚀 Dev Builds AvailableDevelopment builds for this PR are available in the workflow artifacts. Available builds:
Download the |
Merging this branch will increase overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. Changed unit test files
|
Contributor
There was a problem hiding this comment.
Pull request overview
Gates the host query parameter from paretosecurity://linkDevice URLs behind an explicit env-var opt-in to prevent enrollment/reporting traffic from being redirected to attacker-controlled endpoints.
Changes:
- Add
PARETO_ALLOW_HOST_OVERRIDEgating sohostoverrides are ignored by default in the CLI link flow. - Add unit tests covering the default-ignore and opted-in host override behaviors.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| cmd/link.go | Adds env-var gating for honoring host overrides during device enrollment. |
| cmd/link_test.go | Adds tests for host override being ignored by default vs allowed when opted in. |
Comment on lines
+68
to
+73
| // Only honor an explicit host override when opted in via env var; otherwise | ||
| // always enroll against the production Pareto Cloud API. | ||
| if host != "" && !hostOverrideAllowed() { | ||
| log.Warnf("ignoring host override from link URL; set %s=1 to allow it", allowHostOverrideEnv) | ||
| host = "" | ||
| } |
Comment on lines
+18
to
+25
| // host is untrusted input from an external URL; require explicit opt-in before trusting it. | ||
| // https://github.com/teamniteo/pareto/issues/863 | ||
| const allowHostOverrideEnv = "PARETO_ALLOW_HOST_OVERRIDE" | ||
|
|
||
| func hostOverrideAllowed() bool { | ||
| allowed, _ := strconv.ParseBool(os.Getenv(allowHostOverrideEnv)) | ||
| return allowed | ||
| } |
Comment on lines
+120
to
+123
| os.Unsetenv(allowHostOverrideEnv) | ||
|
|
||
| err := runLinkCommand("paretosecurity://linkDevice?invite_id=test-invite-123&host=https://attacker.example.com") | ||
| assert.NoError(t, err) |
Comment on lines
+138
to
+139
| os.Setenv(allowHostOverrideEnv, "1") | ||
| defer os.Unsetenv(allowHostOverrideEnv) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The link command accepted an arbitrary host query parameter from
paretosecurity://linkDevice URLs and used it directly as the team
API endpoint, with no validation. A crafted link could redirect
device enrollment and report traffic to an attacker-controlled
server.
Ignore the host override unless PARETO_ALLOW_HOST_OVERRIDE is set;
otherwise always enroll against the production Pareto Cloud API.
Also:
Refs https://github.com/teamniteo/pareto/issues/863