More just leaving this here for historical purposes, as it has a dependency on the Compute PR.
This PR takes advantage of the worker_harness_container_image parameter for Dataflow, assuming that a user has the user_runner_v2 parameter open. Because the container image is uncontrolled, a user can push to an arbitrary Docker container which reaches out to the Metadata service and pushes the relevant credentials to an attacker's GCS bucket of choice.
More just leaving this here for historical purposes, as it has a dependency on the Compute PR.
This PR takes advantage of the
worker_harness_container_imageparameter for Dataflow, assuming that a user has theuser_runner_v2parameter open. Because the container image is uncontrolled, a user can push to an arbitrary Docker container which reaches out to the Metadata service and pushes the relevant credentials to an attacker's GCS bucket of choice.