Skip to content

v0.23.0

Choose a tag to compare

View all tags
@zalando-robot zalando-robot released this 16 Jan 16:54
v0.23.0
0b52894
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Changes

security: disable lua scripting by default (#3830)

ref: GHSA-cc8m-98fm-rc9g

There is a weakness that can be abused by a default skipper installation
such that you can read arbitrary files as skipper process. It depends on
the custom installation and environment if this is actually exploitable
by untrusted people. Since 2022 we provide a detailed Lua config
guide
such that operators can choose how to use Lua even in less trusted
environments. For example you can use -lua-sources=file and only
operators that can provide a file accessible to the skipper process are
able to reference lua sources and execute provided scripts.

Thanks https://github.com/b0b0haha and https://github.com/moyushui providing us a detailed report how to exploit this
vulnerability that is available by default in skipper versions <v0.23

What do you need to do as library user in order to use the old default from <v0.23

skipper.Options{
        EnableLua: true,
}

What do you need to do as binary/container user in order to use the old default from <v0.23

skipper -enable-lua

Workaround for <v0.23

library users:

skipper.Options{
        LuaSources: []string{"file"},
}

binary container users

skipper -lua-sources=file

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.23.0 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.23.0 skipper --help
Assets 9
Loading