Merge changes from private security fork (v2.15.4)#10905
Merged
Conversation
(cherry picked from commit 6c2e0db)
Escape all user-supplied template imports when creating an Icinga 2 DSL configuration object. Without the escape, a `"` within the template name would allow escaping the created object and create other Icinga 2 DSL objects, exceeding potential user privileges. The same bug was present in ConfigWriter::EmitComment, but as this method is dead code, it could just be removed. (cherry picked from commit faf0450)
This allows preventing ApiUsers from evaluating their own DSL expressions for improved security. (cherry picked from commit 324d5bb)
Data structures parsed from JSON may be accessed recursively, so deeply nested structures may wreak havoc by overflowing the stack. Thus, enforce a general nesting depth limit of 24 by default (which should be more than enough for reasonable use), with the ability to pass a different limit to JsonDecode() if needed. (cherry picked from commit 4964d24)
If parsing JSON is rejected due to the depth limit introduced in the last commit, also include the path (like root["object"]["children"]...) that exceeds the allowed nesting depth. (cherry picked from commit 14d6ee9)
With the limit from the previous commit, if a JSON-RPC now message fails to parse due to being nested to deep, it would have torn down the whole connection. It is still possible to trigger that scenario from DSL config (for example by returning nested structures from a lambda that is used in a check with command_endpoint). In order to fail more gracefully, only discard the single message and don't kill the whole connection. (cherry picked from commit e7d656c)
Add validation checks to code paths reachable from the HTTP API (except full config file deployments via /v1/config) that prevent creating deeply nested data structures that could later cause a stack overflow. (cherry picked from commit 4b7ef02)
This allows reusing the helper also from other test files. (cherry picked from commit ed202ed)
…acks (cherry picked from commit 0481a66)
In the `boost::asio::spawn()` call for newer Boost versions with `std::allocator_arg`, switch from `fixedsize_stack` to `protected_fixedsize_stack` in order to allocate the stacks with guard pages. This is done as an additional safeguard in case there was still some way to overflow, this at least reliably crashes the process instead of going into undefined behavior, which could even result in code execution. Unfortunately, the old-style `spawn()` function with `boost::coroutines::attributes` does not - at least to my knowledge - provide a way to request a stack allocated with guard pages, hence this is only enabled for Boost 1.87 and later with this commit. (cherry picked from commit 2871182)
Depending on the Boost version, the existing test case based on Boost.Asio coroutines might use a stack allocated without a guard page and might not reliably detect an overflow. This commit additionally runs the same test function within a pthread thread started with the same stack size as used by our coroutines. (cherry picked from commit a155da0)
Co-authored-by: Johannes Schmidt <johannes.schmidt@icinga.com> (cherry picked from commit 4f172a5)
[Backport support/2.15] [GHSA-vj39-ww8j-vvx5] Checking if certificate update request comes from a valid endpoint See merge request packages/security/icinga2!20
[Backport support/2.15] [GHSA-wh38-wg57-5w7g] Fix stack overflow due to deeply nested data structures See merge request packages/security/icinga2!19
[Backport support/2.15] [GHSA-jgqj-x5j9-vgcm] ConfigWriter::EmitScope: Escape import See merge request packages/security/icinga2!21
[Backport support/2.15] Add filter-expression permission See merge request packages/security/icinga2!22
Release v2.15.4 See merge request packages/security/icinga2!28
julianbrost
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.