Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

One time key #432

Merged
merged 2 commits into from
Jun 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/code-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Low]Upgrade to the latest version of the action

Using an outdated action version may expose the workflow to old vulnerabilities and bugs. Update the action to the latest stable release version or to a version without known vulnerabilities.

with:
disable-sudo: true
egress-policy: block
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
# Learn more about CodeQL language support at https://git.io/codeql-language-support

steps:
- uses: step-security/harden-runner@v1
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- name: Checkout repository
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Low]Update comment in the YAML file

There is a YAML file that seems to contain outdated comment. Update the comment in the YAML file

with:
egress-policy: audit

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
contents: write
runs-on: ubuntu-20.04
steps:
- uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
allowed-endpoints:
api.github.com:443
Expand Down
3 changes: 2 additions & 1 deletion agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,9 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
return err
}

apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy}
apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy, OneTimeKey: config.OneTimeKey}

config.OneTimeKey = ""
// TODO: pass in an iowriter/ use log library
WriteLog(fmt.Sprintf("read config \n %+v", config))
WriteLog("\n")
Expand Down
2 changes: 2 additions & 0 deletions apiclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ type ApiClient struct {
APIURL string
DisableTelemetry bool
EgressPolicy string
OneTimeKey string
}

const agentApiBaseUrl = "https://apiurl/v1"
Expand Down Expand Up @@ -113,6 +114,7 @@ func (apiclient *ApiClient) sendApiRequest(method, url string, body interface{})
return err
}

req.Header.Add("x-one-time-key", apiclient.OneTimeKey)
if body != nil {
req.Header.Add("Content-Type", "application/json; charset=UTF-8")
}
Expand Down
3 changes: 3 additions & 0 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ type config struct {
RunId string
WorkingDirectory string
APIURL string
OneTimeKey string
Endpoints map[string][]Endpoint
EgressPolicy string
DisableTelemetry bool
Expand All @@ -35,6 +36,7 @@ type configFile struct {
RunId string `json:"run_id"`
WorkingDirectory string `json:"working_directory"`
APIURL string `json:"api_url"`
OneTimeKey string `json:"one_time_key"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[High]Sensitive Information Exposure

OneTimeKey field contains highly sensitive data and its usage should be minimized in configuration files. Avoid storing sensitive data in configuration files. Instead, consider using environment variables, secret management tools like Hashicorp Vault, AWS Secrets Manager, etc.

AllowedEndpoints string `json:"allowed_endpoints"`
EgressPolicy string `json:"egress_policy"`
DisableTelemetry bool `json:"disable_telemetry"`
Expand Down Expand Up @@ -67,6 +69,7 @@ func (c *config) init(configFilePath string) error {
c.DisableSudo = configFile.DisableSudo
c.DisableFileMonitoring = configFile.DisableFileMonitoring
c.Private = configFile.Private
c.OneTimeKey = configFile.OneTimeKey
return nil
}

Expand Down
Loading