From 5dbccce4de99b70d8999261352dd85a4ffdca32b Mon Sep 17 00:00:00 2001 From: Michael Schurter Date: Tue, 4 Jun 2019 08:48:49 -0700 Subject: [PATCH] sentinel: copy jobs to prevent mutation It's unclear whether Sentinel code can mutate values passed to the eval, so ensure it cannot by copying the job. --- nomad/job_endpoint.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index d4c77030d..0d682cc17 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -242,8 +242,9 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis } } - // Enforce Sentinel policies - policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job) + // Enforce Sentinel policies. Pass a copy of the job to prevent + // sentinel from altering it. + policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy()) if err != nil { return err }