Skip to content

Merge changes from private security fork (v2.15.4)#10905

Merged
julianbrost merged 17 commits into
support/2.15from
security-2.15.4
Jun 29, 2026
Merged

Merge changes from private security fork (v2.15.4)#10905
julianbrost merged 17 commits into
support/2.15from
security-2.15.4

Conversation

@jschmidt-icinga

Copy link
Copy Markdown
Contributor

No description provided.

jschmidt-icinga and others added 17 commits June 23, 2026 10:27
Escape all user-supplied template imports when creating an Icinga 2 DSL
configuration object. Without the escape, a `"` within the template name
would allow escaping the created object and create other Icinga 2 DSL
objects, exceeding potential user privileges.

The same bug was present in ConfigWriter::EmitComment, but as this
method is dead code, it could just be removed.

(cherry picked from commit faf0450)
This allows preventing ApiUsers from evaluating their own DSL expressions for
improved security.

(cherry picked from commit 324d5bb)
Data structures parsed from JSON may be accessed recursively, so deeply nested
structures may wreak havoc by overflowing the stack. Thus, enforce a general
nesting depth limit of 24 by default (which should be more than enough for
reasonable use), with the ability to pass a different limit to JsonDecode() if
needed.

(cherry picked from commit 4964d24)
If parsing JSON is rejected due to the depth limit introduced in the last
commit, also include the path (like root["object"]["children"]...) that exceeds
the allowed nesting depth.

(cherry picked from commit 14d6ee9)
With the limit from the previous commit, if a JSON-RPC now message fails to
parse due to being nested to deep, it would have torn down the whole
connection. It is still possible to trigger that scenario from DSL config (for
example by returning nested structures from a lambda that is used in a check
with command_endpoint). In order to fail more gracefully, only discard the
single message and don't kill the whole connection.

(cherry picked from commit e7d656c)
Add validation checks to code paths reachable from the HTTP API (except full
config file deployments via /v1/config) that prevent creating deeply nested
data structures that could later cause a stack overflow.

(cherry picked from commit 4b7ef02)
This allows reusing the helper also from other test files.

(cherry picked from commit ed202ed)
In the `boost::asio::spawn()` call for newer Boost versions with
`std::allocator_arg`, switch from `fixedsize_stack` to
`protected_fixedsize_stack` in order to allocate the stacks with guard pages.
This is done as an additional safeguard in case there was still some way to
overflow, this at least reliably crashes the process instead of going into
undefined behavior, which could even result in code execution.

Unfortunately, the old-style `spawn()` function with
`boost::coroutines::attributes` does not - at least to my knowledge - provide a
way to request a stack allocated with guard pages, hence this is only enabled
for Boost 1.87 and later with this commit.

(cherry picked from commit 2871182)
Depending on the Boost version, the existing test case based on Boost.Asio
coroutines might use a stack allocated without a guard page and might not
reliably detect an overflow. This commit additionally runs the same test
function within a pthread thread started with the same stack size as used by
our coroutines.

(cherry picked from commit a155da0)
Co-authored-by: Johannes Schmidt <johannes.schmidt@icinga.com>
(cherry picked from commit 4f172a5)
[Backport support/2.15] [GHSA-vj39-ww8j-vvx5] Checking if certificate update request comes from a valid endpoint

See merge request packages/security/icinga2!20
[Backport support/2.15] [GHSA-wh38-wg57-5w7g] Fix stack overflow due to deeply nested data structures

See merge request packages/security/icinga2!19
[Backport support/2.15] [GHSA-jgqj-x5j9-vgcm] ConfigWriter::EmitScope: Escape import

See merge request packages/security/icinga2!21
[Backport support/2.15] Add filter-expression permission

See merge request packages/security/icinga2!22
Release v2.15.4

See merge request packages/security/icinga2!28
@cla-bot cla-bot Bot added the cla/signed label Jun 29, 2026
@julianbrost julianbrost merged commit 89dc11b into support/2.15 Jun 29, 2026
34 checks passed
@julianbrost julianbrost deleted the security-2.15.4 branch June 29, 2026 12:53
@julianbrost julianbrost added this to the 2.15.4 milestone Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants