Hi Chefs,
We’ve just released Push Jobs Client 2.4.1. This release contains a new feature that will allow users to whitelist environment variables that are allowed to be overwritten in the environment of executed jobs, as you might do by passing --with-env to knife-push. Giving push jobs users the ability to be explicit about which environment variables can be safely overwritten allows defense against the malicious use of environment variables such as (but not limited to) PATH, to run code at higher privilege than it should. Such an attack assumes that you have the ability to launch jobs.
For example, if you wanted to allow the only FOO environment variable to be set with the knife node start --with-env JSON blob, place the following in your push jobs config:
allowed_overwritable_env_vars ['FOO']
Launching a job with knife node start --with-env '{"FOO": "BAR"}' would set the FOO environment variable to BAR when the job launched.
If somebody were to try to set the PATH environment variable in this case, CHEF_PUSH_ENV_ will be prepended to it, resulting in CHEF_PUSH_ENV_PATH being set instead of PATH.
By default, allowed_overwritable_env_vars is nil, and it will allow all environment variables to be passed directly to the environment. If you would like to prevent any environment variables from being set directly when launching a job, allowed_overwritable_env_vars can be set to any an empty array:
allowed_overwritable_env_vars []
You can grab the latest release from https://downloads.chef.io/push-jobs-client.
Thanks to Denis Ilin for raising this issue and providing a fix.