template: disallow writeToFile by default

Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas. This approach has the significant downside of leaving people who have altered their `template.function_denylist` *still vulnerable!* I added an upgrade note, but we should have implemented the denylist as a `map[string]bool` so that new funcs could be denied without overriding custom configurations. This PR also includes a bug fix that broke enabling all consul-template funcs. We repeatedly failed to differentiate between a nil (unset) denylist and an empty (allow all) one.
2026-01-04 17:35:43 +03:00 · 2022-03-16 16:33:20 -07:00
parent 97dc6875e0
commit f87ec7e64e
9 changed files with 259 additions and 104 deletions
--- a/command/agent/config.go
+++ b/command/agent/config.go
@@ -917,7 +917,7 @@ func DevConfig(mode *devModeConfig) *Config {
 	conf.Client.GCInodeUsageThreshold = 99
 	conf.Client.GCMaxAllocs = 50
 	conf.Client.TemplateConfig = &client.ClientTemplateConfig{
-		FunctionDenylist: []string{"plugin"},
+		FunctionDenylist: client.DefaultTemplateFunctionDenylist,
 		DisableSandbox:   false,
 	}
 	conf.Client.BindWildcardDefaultHostNetwork = true
@@ -967,7 +967,7 @@ func DefaultConfig() *Config {
 				RetryMaxAttempts: 0,
 			},
 			TemplateConfig: &client.ClientTemplateConfig{
-				FunctionDenylist: []string{"plugin"},
+				FunctionDenylist: client.DefaultTemplateFunctionDenylist,
 				DisableSandbox:   false,
 			},
 			BindWildcardDefaultHostNetwork: true,
--- a/command/agent/config_test.go
+++ b/command/agent/config_test.go
@@ -120,7 +120,7 @@ func TestConfig_Merge(t *testing.T) {
 			ClientMaxPort:     19996,
 			DisableRemoteExec: false,
 			TemplateConfig: &client.ClientTemplateConfig{
-				FunctionDenylist: []string{"plugin"},
+				FunctionDenylist: client.DefaultTemplateFunctionDenylist,
 				DisableSandbox:   false,
 			},
 			Reserved: &Resources{
@@ -305,7 +305,7 @@ func TestConfig_Merge(t *testing.T) {
 			MaxKillTimeout:    "50s",
 			DisableRemoteExec: false,
 			TemplateConfig: &client.ClientTemplateConfig{
-				FunctionDenylist: []string{"plugin"},
+				FunctionDenylist: client.DefaultTemplateFunctionDenylist,
 				DisableSandbox:   false,
 			},
 			Reserved: &Resources{
@@ -1465,6 +1465,8 @@ func TestConfig_LoadConsulTemplateBasic(t *testing.T) {
 	require.NotNil(t, agentConfig.Client.TemplateConfig)

 	agentConfig = defaultConfig.Merge(agentConfig)
+	require.Len(t, agentConfig.Client.TemplateConfig.FunctionDenylist, 0)
+	require.NotNil(t, agentConfig.Client.TemplateConfig.FunctionDenylist)

 	clientAgent := Agent{config: agentConfig}
 	clientConfig, err := clientAgent.clientConfig()
@@ -1473,7 +1475,7 @@ func TestConfig_LoadConsulTemplateBasic(t *testing.T) {
 	templateConfig := clientConfig.TemplateConfig
 	require.NotNil(t, templateConfig)
 	require.True(t, templateConfig.DisableSandbox)
-	require.Len(t, templateConfig.FunctionDenylist, 1)
+	require.Len(t, templateConfig.FunctionDenylist, 0)

 	// json
 	agentConfig, err = LoadConfig("test-resources/client_with_basic_template.json")
@@ -1488,7 +1490,7 @@ func TestConfig_LoadConsulTemplateBasic(t *testing.T) {
 	templateConfig = clientConfig.TemplateConfig
 	require.NotNil(t, templateConfig)
 	require.True(t, templateConfig.DisableSandbox)
-	require.Len(t, templateConfig.FunctionDenylist, 1)
+	require.Len(t, templateConfig.FunctionDenylist, 0)
 }

 func TestParseMultipleIPTemplates(t *testing.T) {