1459375 - Allow validating hash of files retrieved with "mounts"

Status: RESOLVED FIXED

(Taskcluster :: Workers, enhancement)

Description

[Gregory Szorc [:gps]]

generic-worker's "mounts" payload key [1] allows you to specify the URL or task artifact of a file to retrieve for local "mounting."

This is a pretty convenient feature!

Unfortunately, this feature is also a potential security vulnerability.

As it is currently implemented, there is no content integrity protection when using the "mounts" feature. Presumably whatever is performing the URL retrieval is using modern TLS and x509 certificate verification is used to validate the remote server. x509 certificate verification validates that the remote server's certificate was signed by a CA that chains up to a trusted root CA. And there are often... questionable root CAs in the trusted set.

I'd like to request a feature that allows specifying the content hash of files that will be retrieved with "mounts." I'm proposing that each "mounts" entry that fetches a remote resource allow an optional key that defines the content hash(es) of the retrieved file. If a hash is specified, generic-worker will validate the downloaded content against that hash and fail if there is a mismatch.

Specifying the content hash will plug the security issue denoted above. It will also provide a check against data corruption. And it will help ensure that remotely downloaded content is immutable over time.

Of course, not all downloaded content will be immutable over time nor will we know the hash in advance. But it would be really nice to be able to pin the hash when it is known.

[1] https://docs.taskcluster.net/reference/workers/generic-worker/docs/payload

Comment 1

[Pete Moore [:pmoore][:pete]]

Sorry I've only just seen this bug, but funnily enough it got implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1459376#c2 and released in generic-worker 10.8.0.

Currently testing, and hope to roll out to production later in the week... :-)