search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
374 stars 404 forks source link

[Import Connectors (likely more)] Define a Volume for any r/w filesystem locations #2819

Open MaxwellDPS opened 3 days ago

MaxwellDPS commented 3 days ago

Description

In the import document connector the location used by _download_import_file() needs to be defined as a volume.

This poses a security issue if users decide to just not run with the root filesystem of a container due to having no context of this and turning it off.

More broadly k8s covers security contexts on runtime really well, I would recommend all containers be able to run non-root with a read only filesystem

Per Docker best practice is to make anyplace files are created at run time a volume.

You should use the VOLUME instruction to expose any database storage area, configuration storage, or files and folders created by your Docker container. You are strongly encouraged to use VOLUME for any combination of mutable or user-serviceable parts of your image.

Environment

  1. OS (where OpenCTI server runs): N/A
  2. OpenCTI version: All so far
  3. OpenCTI client: N/A
  4. Other environment details: N/A

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. deploy import connector with a readonly root filesystem

Expected Output

Proper volume definitions

Actual Output

Runtime errors if no volume is mounted

Additional information

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod https://docs.docker.com/build/building/best-practices/#volume

romain-filigran commented 1 day ago

Need to assess whether it is necessary to write the file to disk. cc @richard-julien