Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release 3.8 #6004

Merged
merged 7 commits into from
May 26, 2021
Merged

Release 3.8 #6004

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
dc18bad
Merge pull request #6000 from hpcng/master
ikaneshiro May 25, 2021
dcfc12f
fix: respect current remote for actions against library:// URIs
dtrudg May 21, 2021
1f676cd
e2e: if an invalid remote is set ensure library:// actions fail
dtrudg May 21, 2021
7e943fd
e2e: Update library:// actions fail e2e comment
ikaneshiro May 25, 2021
cd298aa
Merge pull request from GHSA-jq42-hfch-42f3
kmuriki May 26, 2021
50eae88
add v3.7.4 for 3.8.0-rc.2
DrDaveD May 26, 2021
0dfc07b
Merge pull request #6003 from DrDaveD/changelog-3.8.0-rc.2
kmuriki May 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ _With the release of `v3.0.0`, we're introducing a new changelog format in an at
_The old changelog can be found in the `release-2.6` branch_


# v3.8.0 - [2021-05-21]
# v3.8.0-rc.2 Release Candidate - [2021-05-26]

> :warning: Go module was renamed from `github.com/sylabs/singularity` to `github.com/hpcng/singularity`

Expand Down Expand Up @@ -54,6 +54,20 @@ of `make test` for ease of use:
and `E2E_DOCKER_PASSWORD` environment variables.


# v3.7.4 - [2021-05-26]

## Security Related Fixes

- [CVE-2021-32635](https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3):
Due to incorrect use of a default URL, singularity action commands
(run/shell/exec) specifying a container using a library:// URI will
always attempt to retrieve the container from the default remote
endpoint (cloud.sylabs.io) rather than the configured remote
endpoint. An attacker may be able to push a malicious container to
the default remote endpoint with a URI that is identical to the URI
used by a victim with a non-default remote endpoint, thus executing
the malicious container.

# v3.7.3 - [2021-04-06]

## Security Related Fixes
Expand Down
4 changes: 1 addition & 3 deletions cmd/internal/cli/actions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/hpcng/singularity/internal/pkg/client/oci"
"github.com/hpcng/singularity/internal/pkg/client/oras"
"github.com/hpcng/singularity/internal/pkg/client/shub"
"github.com/hpcng/singularity/internal/pkg/remote/endpoint"
"github.com/hpcng/singularity/internal/pkg/util/uri"
"github.com/hpcng/singularity/pkg/sylog"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -80,11 +79,10 @@ func handleLibrary(ctx context.Context, imgCache *cache.Handle, pullFrom string)
return "", err
}

// Default "" = use current remote endpoint
var libraryURI string
if r.Host != "" {
libraryURI = "https://" + r.Host
} else {
libraryURI = endpoint.SCSDefaultLibraryURI
}

c, err := getLibraryClientConfig(libraryURI)
Expand Down
3 changes: 3 additions & 0 deletions e2e/actions/actions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2198,6 +2198,8 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
env: env,
}

np := testhelper.NoParallel

return testhelper.Tests{
"action URI": c.RunFromURI, // action_URI
"exec": c.actionExec, // singularity exec
Expand Down Expand Up @@ -2230,5 +2232,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
"bind image": c.bindImage, // test bind image
"umask": c.actionUmask, // test umask propagation
"no-mount": c.actionNoMount, // test --no-mount
"invalidRemote": np(c.invalidRemote), // GHSA-5mv9-q7fq-9394
}
}
68 changes: 68 additions & 0 deletions e2e/actions/regressions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -616,3 +616,71 @@ func (c actionTests) issue5690(t *testing.T) {
e2e.ExpectExit(0),
)
}

// If an invalid remote is set, we should not pull a container from the default
// library.
// Github Security Advisories:
// GHSA-jq42-hfch-42f3 (hpcng)
// GHSA-5mv9-q7fq-9394 (sylabs)
func (c actionTests) invalidRemote(t *testing.T) {
testEndpoint := "invalid"
testEndpointURI := "https://cloud.example.com"
testImage := "library://alpine"

// Exec library image from the default remote... ensure it succeeds
argv := []string{testImage, "/bin/true"}
c.env.RunSingularity(
t,
e2e.AsSubtest("exec default"),
e2e.WithProfile(e2e.UserProfile),
e2e.WithCommand("exec"),
e2e.WithArgs(argv...),
e2e.ExpectExit(0),
)

// Add another endpoint
argv = []string{"add", "--no-login", testEndpoint, testEndpointURI}
c.env.RunSingularity(
t,
e2e.AsSubtest("remote add"),
e2e.WithProfile(e2e.UserProfile),
e2e.WithCommand("remote"),
e2e.WithArgs(argv...),
e2e.ExpectExit(0),
)
// Remove test remote when we are done here
defer func(t *testing.T) {
argv := []string{"remove", testEndpoint}
c.env.RunSingularity(
t,
e2e.AsSubtest("remote remove"),
e2e.WithProfile(e2e.UserProfile),
e2e.WithCommand("remote"),
e2e.WithArgs(argv...),
e2e.ExpectExit(0),
)
}(t)

// Set as default
argv = []string{"use", testEndpoint}
c.env.RunSingularity(
t,
e2e.AsSubtest("remote use"),
e2e.WithProfile(e2e.UserProfile),
e2e.WithCommand("remote"),
e2e.WithArgs(argv...),
e2e.ExpectExit(0),
)

// Exec library image from the invalid remote, should fail
argv = []string{testImage, "/bin/true"}
c.env.RunSingularity(
t,
e2e.AsSubtest("exec invalid"),
e2e.WithProfile(e2e.UserProfile),
e2e.WithCommand("exec"),
e2e.WithArgs(argv...),
e2e.ExpectExit(255),
)

}