Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/playground: Read sensitive information of sandbox golang testing on website #36860

Closed
qlkwej opened this issue Jan 29, 2020 · 4 comments
Closed

x/playground: Read sensitive information of sandbox golang testing on website #36860

qlkwej opened this issue Jan 29, 2020 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@qlkwej
Copy link

qlkwej commented Jan 29, 2020

What version of Go are you using (go version)?

$ go version
go version go1.13.6 windows/amd64

Does this issue reproduce with the latest release?

Yes

What did you do?

Read sensitve information on /etc/group

What did you expect to see?

It's should not return any information as another output in exec.Command
No return in golang demo terminal

What did you see instead?

The server return group sandbox information
https://golang.org/pkg/io/ioutil/#example_ReadFile
return information group in golang demo terminal

Best Regards,
Thanks
@gopherbot gopherbot added this to the Unreleased milestone Jan 29, 2020
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 3, 2020
@cagedmantis cagedmantis changed the title x/website: Read sensitive information of sandbox golang testing on website x/playground: Read sensitive information of sandbox golang testing on website Feb 3, 2020
@cagedmantis
Copy link
Contributor

/cc @dmitshur @toothrot

@toothrot
Copy link
Contributor

toothrot commented Feb 3, 2020

I don't believe the contents of our gvisor hosted containerized filesystem are secret. Our treatment of this changed in http://golang.org/cl/195983 (by @bradfitz).

There's no persistence between runs, so I believe this to be generally OK.

@bradfitz
Copy link
Contributor

bradfitz commented Feb 4, 2020

Yeah that's all fake. Not a security issue.

@dmitshur
Copy link
Contributor

dmitshur commented Feb 4, 2020

Thanks for confirming. I'll close this because there's nothing to do.

@dmitshur dmitshur closed this as completed Feb 4, 2020
@golang golang locked and limited conversation to collaborators Feb 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@bradfitz @toothrot @cagedmantis @dmitshur @gopherbot @qlkwej