Server side template injection In github.com/zalando/skipper
Description
Skipper is vulnerable to arbitrary code execution through lua filters
Impact
Arbitrary code execution through lua filters.
The default skipper configuration before v0.23 was -lua-sources=inline,file.
The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets.
Kubernetes example (vulnerability is not limited to Kubernetes)
function request(ctx, params) local file = io.open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') if file then local token = file:read('*all') file:close() error('[EXFIL] ' .. token) -- Exfiltrate via error logs end ...
Patches
https://github.com/zalando/skipper/releases/tag/v0.23.0 disables Lua by default.
Workarounds
You can reduce support of how you can pass lua filter script data by providing config for lua sources https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources. For example -lua-sources=file will only be exploitable if the attacker can create a lua script file on the target system.
References
https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | github.com/zalando/skipper | 0.23.0 |
Aliases
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.