Merge pull request #5078 from hashicorp/backport/dheath-ICU-15008-asc…

…iicast-tob/certainly-picked-lionfish

This pull request was automerged via backport-assistant

website/content/docs/operations/session-recordings/index.mdx

@@ -19,16 +19,38 @@ Recorded sessions are stored in an external storage bucket that you create.
 Storing session recordings in a system external to Boundary means those recordings can be accessed, modified, deleted, and even restored independently of Boundary.
 You can view any sessions that Boundary recorded in your storage provider or via the CLI.
 
+## asciicast
+
 When you view recorded sessions using the CLI or Admin UI, Boundary can convert the recording into other formats for playback.
 Currently Boundary supports converting the recording of an individual SSH channel into an [asciicast](https://github.com/asciinema/asciinema/blob/develop/doc/asciicast-v2.md) format to play back an interactive SSH session.
 
+### Limitations
+
 The asciicast format is well suited for the playback of interactive shell activity.
 However, some aspects of the recording cannot be translated into asciicast.
 For example, if an SSH session uses the `RemoteCommand` option, or is used to `exec` a command, the command is not displayed in the asciicast.
 The output of the command may be displayed, though.
+
 If you use SSH for something other than an interactive shell, such as for file transfer, X11 forwarding, or port forwarding, Boundary does not attempt to create an asciicast.
 In all cases, the SSH session is still recorded in the [BSR file](/boundary/docs/concepts/auditing/#bsr-directory-structure) and you can view the BSR file in the external storage bucket.
 
+### Security
+
+When a worker converts an SSH recording into the BSR file, it iterates through each of the requests in the recording and displays some of them to the user.
+If you use an environment request to set the shell variable, the request is included in the asciicast header.
+You should be aware of the following security concerns that could result from this behavior:
+
+- asciicast only includes the last value that you send in the header, any previous values are overwritten.
+An attacker may be able to use a malicious shell value at the beginning of a session, and then switch to `shell=/bin/bash` at the end of the session to conceal the malicious activity.
+
+- asciicast does not display other variables such as `path` in the header, but they can cause drastic changes to code execution during the SSH session.
+An attacker could change the `path` variable to point to a malicious program or change the beahvior of a normal program so that it performs a malicious action.
+
+- asciicast silently ignores any requests that do not have an explicit handler, even though they may cause signficant changes to code execution during the SSH session.
+An attacker could execute malicious code using a request without an explicit handler.
+
+## Next steps
+
 For more information about working with recorded sessions, refer to the following topics:
 
 - [Find and view recorded sessions](/boundary/docs/operations/session-recordings/manage-recorded-sessions)

website/content/docs/operations/session-recordings/manage-recorded-sessions.mdx

@@ -9,19 +9,10 @@ description: |-
 
 <EnterpriseAlert product="boundary">This feature requires <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a></EnterpriseAlert>
 
-You can view a list of all recorded sessions, or if you know the ID of a specific recorded session, you can find any channels associated with that recording.
-
-<Note>
-
-The asciicast format is well suited for the playback of interactive shell activity.
-However, some aspects of the recording cannot be translated into asciicast.
-For example, if an SSH session uses the `RemoteCommand` option, or is used to `exec` a command, the command is not displayed in the asciicast.
-The output of the command may be displayed, though.
-If you use SSH for something other than an interactive shell, such as for file transfer, X11 forwarding, or port forwarding, Boundary does not attempt to create an asciicast.
+Boundary converts recorded sessions into an asciicast format so that you can play back interactive SSH sessions.
+Make sure to refer to the [asciicast](/boundary/docs/operations/session-recordings#asciicast) section to understand potential limitations to the asciicast format.
 
-In all cases, the SSH session is still recorded in the [BSR file](/boundary/docs/concepts/auditing/#bsr-directory-structure) and you can view the BSR file in the external storage bucket.
-
-</Note>
+You can view a list of all recorded sessions, or if you know the ID of a specific recorded session, you can find any channels associated with that recording.
 
 <Tabs>
 <Tab heading="CLI">