With #3220 we no longer use PDS_SCRIPT_ENV_WHITELIST but provide the functionality via pds config entry env-whitelist.
Situation
PDSExecutionCallable does currently only add calculated parts to the process environment of the PDS caller script and executes it.
But... the scripts have access to any environment variable of the PDS server.
This is a security flaw.
Wanted
The scripts shall have no access to sensitive data.
Solution
we clear everything from environment map except
standard whitelisted environment variables
HOME
HOSTNAME
PATH
PWD
TERM
UID
USER
values inside PDS_SCRIPT_ENV_WHITELIST
it contains comma separated values
it is possible to define explicit accepted environment variable names
it is also possible to use asterisk for accepted variable names - e.g. PDS_STORAGE_* would accept PDS_STORAGE_S3_SOMETHING, PDS_STORAGE_S3_OTHER etc. as white listed (just for convenience when a group of variables shall be accepted)
we add calculated parts
For some special PDS solutions like prepare-solution which need special parts must add those parts to their whitelist. So the responsibility is not inside the script but at PDS side and secure per default
:warning: Important information:
With #3220 we no longer use
PDS_SCRIPT_ENV_WHITELIST
but provide the functionality via pds config entryenv-whitelist
.Situation
PDSExecutionCallable
does currently only add calculated parts to the process environment of the PDS caller script and executes it.But... the scripts have access to any environment variable of the PDS server. This is a security flaw.
Wanted
The scripts shall have no access to sensitive data.
Solution
we clear everything from environment map except
HOME
HOSTNAME
PATH
PWD
TERM
UID
USER
PDS_SCRIPT_ENV_WHITELIST
PDS_STORAGE_*
would acceptPDS_STORAGE_S3_SOMETHING
,PDS_STORAGE_S3_OTHER
etc. as white listed (just for convenience when a group of variables shall be accepted)we add calculated parts
For some special PDS solutions like
prepare-solution
which need special parts must add those parts to their whitelist. So the responsibility is not inside the script but atPDS
side and secure per default