CVE-2026-25542

MEDIUM6.5EPSS 0.04%

Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching

發布日:2026/4/21修改日:2026/5/22

描述

hey guys, triage contract this is a first-screen summary; deterministic proof is in the proof bundle (canonical.log/control.log/witness.txt). summary trusted resources verification policies match a resource source string (`refSource.URI`) against `spec.resources[].pattern` using `regexp.MatchString`. in go, `regexp.MatchString` reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. this can cause an unintended policy match and change which verification mode/keys apply. pins - repo: https://github.com/tektoncd/pipeline - commit: 0133513db03dadb3cb08801d6b0330badcb63830 - callsite: pkg/trustedresources/verify.go:118-137 (getMatchedPolicies) severity MEDIUM (provisional CVSS 5.3–6.5) (signing request tampering) repro (canonical) - command: unzip -q -o poc.zip -d poc && cd poc/poc-F-TEKTON-REGEX-001 && make canonical - expected: cap not reached; canonical does not emit the vulnerability markers. - actual: cap reached; canonical emits the vulnerability markers. - canonical markers (mandatory): [CALLSITE\_HIT] + [PROOF\_MARKER] negative control - command: unzip -q -o poc.zip -d poc && cd poc/poc-F-TEKTON-REGEX-001 && make control - expected: cap not reached under the same harness; control emits the control marker and does not emit the vulnerability markers. - control markers (mandatory): [CALLSITE\_HIT] + [NC\_MARKER] fix consider making matching safe-by-default by requiring full-string matches (or validating patterns and documenting substring semantics clearly). one option is to anchor patterns before matching (e.g., wrap `pattern` as `^(?:pattern)$` when not already anchored), or to provide a separate field for exact match vs regex match. fix accepted when: under the same harness, canonical still hits [CALLSITE\_HIT] but does not emit [PROOF\_MARKER]. proof bundle pointers - bundle: poc.zip - bundle convention: zip extracts under a single top-level folder (poc-F-TEKTON-REGEX-001/) to avoid collisions - contains: canonical.log, control.log, witness.txt - extracted paths: after extraction, see ./poc/poc-F-TEKTON-REGEX-001/canonical.log, ./poc/poc-F-TEKTON-REGEX-001/control.log, ./poc/poc-F-TEKTON-REGEX-001/witness.txt - verify: compare shasum -a 256 for canonical.log/control.log/fix.patch/test source against witness.txt - supported-mode note: if your supported integration uses verified https app-links/universal links only, provide the supported tag/branch and we can retest on that pin. [poc.zip](https://github.com/user-attachments/files/24833926/poc.zip) --- impact an attacker can craft a trusted resources source string that embeds a trusted substring and still matches an unanchored verificationpolicy `spec.resources[].pattern`, even if the policy is intended to constrain matches to a specific trusted source. this occurs because `regexp.MatchString` succeeds on substring matches, so patterns like `https://github.com/tektoncd/catalog.git` match attacker-controlled sources such as `https://evil.com/?x=https://github.com/tektoncd/catalog.git`. affected: deployments using trusted resources verification with unanchored verificationpolicy patterns, where an attacker can influence the `refSource.URI` value used for policy matching. not affected: deployments that anchor all patterns (`^...$`) or otherwise enforce full-string matching; deployments where attackers cannot influence `refSource.URI`. steps to reproduce ```bash unzip -q -o poc.zip -d /tmp/poc-tekton-regex-001 cd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001 bash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log bash ./run.sh control | tee /tmp/tekton-regex-001-control.log grep -n '\\[PROOF_MARKER\\]' /tmp/tekton-regex-001-canonical.log && grep -n '\\[NC_MARKER\\]' /tmp/tekton-regex-001-control.log && ! grep -n '\\[PROOF_MARKER\\]' /tmp/tekton-regex-001-control.log ``` suggested patch options: - make matching safe-by-default by anchoring patterns before matching (or by validating and rejecting unanchored patterns). - document the substring semantics explicitly and update documentation examples to include anchors. workarounds anchor verificationpolicy resource patterns so they must match the full source string. example: - `^https://github.com/tektoncd/catalog\\.git$` best, oleh

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

參考連結(6)