security: a more comprehensive env.denylist (#24540)

A more comprehensive env.denylist that now includes more token, token file and license variables. --------- Co-authored-by: Daniel Bennett <[email protected]>
hashicorp · Nov 22, 2024 · 368241d · 368241d
1 parent 642e33a
commit 368241d
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 6 deletions.
diff --git a/.changelog/24540.txt b/.changelog/24540.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: Added more host environment variables to the default deny list for tasks
+```
diff --git a/command/agent/host/host.go b/command/agent/host/host.go
@@ -96,12 +96,16 @@ func environment() map[string]string {
 // Update https://developer.hashicorp.com/nomad/docs/configuration/client#env-denylist
 // whenever this is changed.
 var DefaultEnvDenyList = []string{
-	"CONSUL_TOKEN",
-	"CONSUL_HTTP_TOKEN",
-	"VAULT_TOKEN",
-	"NOMAD_LICENSE",
-	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-	"GOOGLE_APPLICATION_CREDENTIALS",
+	// product tokens
+	"CONSUL_TOKEN", "CONSUL_HTTP_TOKEN", "CONSUL_HTTP_TOKEN_FILE", "NOMAD_TOKEN", "VAULT_TOKEN",
+	// licenses
+	"CONSUL_LICENSE", "NOMAD_LICENSE", "VAULT_LICENSE",
+	// license paths
+	"CONSUL_LICENSE_PATH", "NOMAD_LICENSE_PATH", "VAULT_LICENSE_PATH",
+	// AWS sensitive variables
+	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AWS_METADATA_URL",
+	// GCP sensitive variables
+	"GOOGLE_APPLICATION_CREDENTIALS", "GOOGLE_OAUTH_ACCESS_TOKEN",
 }
 
 // makeEnvRedactSet creates a set of well known environment variables that should be

diff --git a/command/agent/host/host_test.go b/command/agent/host/host_test.go
@@ -25,6 +25,8 @@ func TestMakeHostData(t *testing.T) {
 	t.Setenv("BOGUS_TOKEN", "foo")
 	t.Setenv("BOGUS_SECRET", "foo")
 	t.Setenv("ryanSECRETS", "foo")
+	t.Setenv("CONSUL_LICENSE_PATH", "foo")
+	t.Setenv("AWS_ACCESS_KEY_ID", "foo")
 
 	host, err := MakeHostData()
 	must.NoError(t, err)
@@ -38,4 +40,6 @@ func TestMakeHostData(t *testing.T) {
 	must.Eq(t, "<redacted>", host.Environment["BOGUS_TOKEN"])
 	must.Eq(t, "<redacted>", host.Environment["BOGUS_SECRET"])
 	must.Eq(t, "<redacted>", host.Environment["ryanSECRETS"])
+	must.Eq(t, "<redacted>", host.Environment["CONSUL_LICENSE_PATH"])
+	must.Eq(t, "<redacted>", host.Environment["AWS_ACCESS_KEY_ID"])
 }
diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx
@@ -304,12 +304,21 @@ see the [drivers documentation](/nomad/docs/drivers).
   ```text
   CONSUL_TOKEN
   CONSUL_HTTP_TOKEN
+  CONSUL_HTTP_TOKEN_FILE
+  NOMAD_TOKEN
   VAULT_TOKEN
+  CONSUL_LICENSE
   NOMAD_LICENSE
+  VAULT_LICENSE
+  CONSUL_LICENSE_PATH
+  NOMAD_LICENSE_PATH
+  VAULT_LICENSE_PATH
   AWS_ACCESS_KEY_ID
   AWS_SECRET_ACCESS_KEY
   AWS_SESSION_TOKEN
+  AWS_METADATA_URL
   GOOGLE_APPLICATION_CREDENTIALS
+  GOOGLE_OAUTH_ACCESS_TOKEN
   ```
 
 - `"user.denylist"` `(string: see below)` - Specifies a comma-separated

diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -13,6 +13,14 @@ upgrade. However, specific versions of Nomad may have more details provided for
 their upgrades as a result of new features or changed behavior. This page is
 used to document those details separately from the standard upgrade flow.
 
+## Nomad 1.9.4
+
+In Nomad 1.9.4, the [default client env deny
+list](/nomad/docs/configuration/client#env-denylist) includes additional
+environment variables to improve security. Users who need some of these secure
+environment variables passed to their tasks should consult the list and
+overwrite it in the configuration.
+
 ## Nomad 1.9.3
 
 In Nomad 1.9.3, the mechanism used for calculating when objects are eligible