Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alibaba SDK invoking external executables multiple times even when doing "vault version" #5324

Closed
dimalinux opened this issue Sep 12, 2018 · 4 comments · Fixed by #6024
Closed

Alibaba SDK invoking external executables multiple times even when doing "vault version" #5324

dimalinux opened this issue Sep 12, 2018 · 4 comments · Fixed by #6024
Assignees
@tyrannosaurus-becks

Comments

@dimalinux
Copy link

Describe the bug
General issue: Vault is importing rarely used modules that do complex package level initialization. This makes securing and auditing the code harder, as one needs to carefully review and understand imported packages that are not used.

Specific issue: The place I noticed the issue was where the Alibaba SDK invokes the external uname program 3 times even when doing an operation as simple as vault version.

https://github.com/hashicorp/vault/blob/v0.11.1/vendor/github.com/aliyun/aliyun-oss-go-sdk/oss/utils.go#L19-L47

To Reproduce
Steps to reproduce the behavior:

  1. Run strace -f -o trace.txt vault version && grep execve trace.txt
  2. See that an external program, uname, is exec'ed 3 time by the Alibaba SDK even for the the simplest of commands.

Environment:

  • Vault CLI Version (retrieve with vault version): Vault v0.11.1 ('8575f8fedcf8f5a6eb2b4701cb527b99574b5286'
  • Server Operating System/Architecture: Ubuntu 16.04
@tyrannosaurus-becks tyrannosaurus-becks self-assigned this Sep 12, 2018
@tyrannosaurus-becks
Copy link
Contributor

One option would be to fork the library, and to strip out the userAgent var above, which would allow us to strip out the systemInfo built upon information pulled from the environment. @dimalinux not sure if we'll go that direction, but would that solve your concerns, or are they broader than that?

@tyrannosaurus-becks
Copy link
Contributor

I suppose another option would be to submit a PR to the Aliyun library moving that call out of package initialization.

@dimalinux
Copy link
Author

If Hashicorp is aware of the issue and doesn't think it is a problem, feel free to close the ticket. I was just a little shocked and afraid that packages might be getting imported without sufficient review.

Ideally, packages that are are rarely used wouldn't have any init() or equivalent package level function invocations. Then, users wishing to review the code could safely ignore imported packages they don't interact with.

I realize that might not be an obtainable goal. ... but forking new processes to exec programs from arbitrary places in the path for an import that most users don't need seems like a step too far. Even if I was using Alibaba cloud, I wouldn't pass my kernel version (of my vault server!) in API requests from code I controlled. :) If you strip out that code from the package level initialization (PR request, forking the code, whatever works for Hashicorp), that would be awesome!

Thanks!

This was referenced Sep 13, 2018
Closed
Merged
@briankassouf
Copy link
Contributor

closed via #5358

@tyrannosaurus-becks tyrannosaurus-becks mentioned this issue Jan 10, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tyrannosaurus-becks tyrannosaurus-becks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Swap the forked Aliyun SDK for the original hashicorp/vault
3 participants
@dimalinux @tyrannosaurus-becks @briankassouf