security: a more comprehensive env.denylist (#24540)

A more comprehensive env.denylist that now includes more token, token file and license variables. --------- Co-authored-by: Daniel Bennett <dbennett@hashicorp.com>
2026-01-01 16:05:42 +03:00 · 2024-11-22 18:54:18 +01:00
parent 642e33ae41
commit 368241dbf2
5 changed files with 34 additions and 6 deletions
--- a/.changelog/24540.txt
+++ b/.changelog/24540.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: Added more host environment variables to the default deny list for tasks
+```
--- a/command/agent/host/host.go
+++ b/command/agent/host/host.go
@@ -96,12 +96,16 @@ func environment() map[string]string {
 // Update https://developer.hashicorp.com/nomad/docs/configuration/client#env-denylist
 // whenever this is changed.
 var DefaultEnvDenyList = []string{
-	"CONSUL_TOKEN",
-	"CONSUL_HTTP_TOKEN",
-	"VAULT_TOKEN",
-	"NOMAD_LICENSE",
-	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-	"GOOGLE_APPLICATION_CREDENTIALS",
+	// product tokens
+	"CONSUL_TOKEN", "CONSUL_HTTP_TOKEN", "CONSUL_HTTP_TOKEN_FILE", "NOMAD_TOKEN", "VAULT_TOKEN",
+	// licenses
+	"CONSUL_LICENSE", "NOMAD_LICENSE", "VAULT_LICENSE",
+	// license paths
+	"CONSUL_LICENSE_PATH", "NOMAD_LICENSE_PATH", "VAULT_LICENSE_PATH",
+	// AWS sensitive variables
+	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AWS_METADATA_URL",
+	// GCP sensitive variables
+	"GOOGLE_APPLICATION_CREDENTIALS", "GOOGLE_OAUTH_ACCESS_TOKEN",
 }

 // makeEnvRedactSet creates a set of well known environment variables that should be
--- a/command/agent/host/host_test.go
+++ b/command/agent/host/host_test.go
@@ -25,6 +25,8 @@ func TestMakeHostData(t *testing.T) {
 	t.Setenv("BOGUS_TOKEN", "foo")
 	t.Setenv("BOGUS_SECRET", "foo")
 	t.Setenv("ryanSECRETS", "foo")
+	t.Setenv("CONSUL_LICENSE_PATH", "foo")
+	t.Setenv("AWS_ACCESS_KEY_ID", "foo")

 	host, err := MakeHostData()
 	must.NoError(t, err)
@@ -38,4 +40,6 @@ func TestMakeHostData(t *testing.T) {
 	must.Eq(t, "<redacted>", host.Environment["BOGUS_TOKEN"])
 	must.Eq(t, "<redacted>", host.Environment["BOGUS_SECRET"])
 	must.Eq(t, "<redacted>", host.Environment["ryanSECRETS"])
+	must.Eq(t, "<redacted>", host.Environment["CONSUL_LICENSE_PATH"])
+	must.Eq(t, "<redacted>", host.Environment["AWS_ACCESS_KEY_ID"])
 }
--- a/website/content/docs/configuration/client.mdx
+++ b/website/content/docs/configuration/client.mdx
@@ -304,12 +304,21 @@ see the [drivers documentation](/nomad/docs/drivers).
  ```text
  CONSUL_TOKEN
  CONSUL_HTTP_TOKEN
+  CONSUL_HTTP_TOKEN_FILE
+  NOMAD_TOKEN
  VAULT_TOKEN
+  CONSUL_LICENSE
  NOMAD_LICENSE
+  VAULT_LICENSE
+  CONSUL_LICENSE_PATH
+  NOMAD_LICENSE_PATH
+  VAULT_LICENSE_PATH
  AWS_ACCESS_KEY_ID
  AWS_SECRET_ACCESS_KEY
  AWS_SESSION_TOKEN
+  AWS_METADATA_URL
  GOOGLE_APPLICATION_CREDENTIALS
+  GOOGLE_OAUTH_ACCESS_TOKEN
  ```

 - `"user.denylist"` `(string: see below)` - Specifies a comma-separated
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -13,6 +13,14 @@ upgrade. However, specific versions of Nomad may have more details provided for
 their upgrades as a result of new features or changed behavior. This page is
 used to document those details separately from the standard upgrade flow.

+## Nomad 1.9.4
+
+In Nomad 1.9.4, the [default client env deny
+list](/nomad/docs/configuration/client#env-denylist) includes additional
+environment variables to improve security. Users who need some of these secure
+environment variables passed to their tasks should consult the list and
+overwrite it in the configuration.
+
 ## Nomad 1.9.3

 In Nomad 1.9.3, the mechanism used for calculating when objects are eligible