Escape passwords in configurations and scripts #8842
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| function fail { | ||
| timestamp=$(date --iso-8601=seconds) | ||
| echo "{\"timestamp\": \"${timestamp}\", \"message\": \"readiness probe failed\", "$1"}" | tee /proc/1/fd/2 2> /dev/null | ||
| echo '{"timestamp": "'"${timestamp}"'", "message": "readiness probe failed", '"${1}"'}'| tee /proc/1/fd/2 2> /dev/null |
There was a problem hiding this comment.
^--^ SC2027 (warning): The surrounding quotes actually unquote this. Remove or escape them.
| exit 0 | ||
| else | ||
| fail " \"status\": \"${status}\", \"version\":\"${version}\" " | ||
| fail " \"status\": \"${status}\" " |
There was a problem hiding this comment.
^--------^ SC2154 (warning): version is referenced but not assigned.
| # request the health endpoint and expect http status code 200. Turning globbing off for unescaped IPv6 addresses | ||
| status=$(curl -g -o /dev/null -w "%{http_code}" ` + url + ` ` + basicAuthArgs + ` -k -s --max-time ${READINESS_PROBE_TIMEOUT}) | ||
| status=$(curl -g -o /dev/null -w "%{http_code}" ` + url + ` ` + basicAuthArgs + ` -k -s --max-time "${READINESS_PROBE_TIMEOUT}") |
There was a problem hiding this comment.
^------------------------^ SC2086 (info): Double quote to prevent globbing and word splitting
| function fail { | ||
| timestamp=$(date --iso-8601=seconds) | ||
| echo "{\"timestamp\": \"${timestamp}\", \"message\": \"readiness probe failed\", "$1"}" | tee /proc/1/fd/2 2> /dev/null | ||
| timestamp=$(date +%Y-%m-%dT%H:%M:%S%z) |
There was a problem hiding this comment.
date: unrecognized option '--iso-8601=seconds'
BusyBox v1.37.0 (2024-09-30 10:39:57 UTC) multi-call binary.
Not sure for how long we had this bug 😐
|
We can escape it but I wonder if we should remove Edit: I added a function to sanitize the string. |
|
buildkite test this -f p=gke,t=TestVersionUpgrade* |
barkbay
changed the title
barkbay
changed the title
|
We have another issue for Logstash which offers a way to inject the ES password through environment variables, as described in the documentation or in the following example: pipelines:
- pipeline.id: main
config.string: |
input { exec { command => 'uptime' interval => 10 } }
output {
elasticsearch {
hosts => [ "${TEST_ES_HOSTS}" ]
ssl_enabled => true
ssl_certificate_authorities => "${TEST_ES_SSL_CERTIFICATE_AUTHORITY}"
user => "${TEST_ES_USER}"
password => "${TEST_ES_PASSWORD}"
}
}If there is In above case the password was starting with I don't know what to do for this one. My feeling is that we should not advise users to rely on internally generated passwords. Also using env variables to propagate credentials feels wrong, I believe this sample would be broken as soon as the password is regenerated. |
|
buildkite test this -f p=gke,t=TestSamples |
| "metadata": { | ||
| "annotations": { | ||
| "elasticsearch.k8s.elastic.co/monitoring-config-hash": "421654492" | ||
| "elasticsearch.k8s.elastic.co/monitoring-config-hash": "3826168075" |
There was a problem hiding this comment.
@rhr323 If we include this change (I mean the " around the password in Metricbeat config) then I think this is going to recreate the ES Pods for clusters which have stack monitoring is enabled. We should then add 3.2.0 to https://www.elastic.co/docs/deploy-manage/upgrade/orchestrator/upgrade-cloud-on-k8s#k8s-beta-to-ga-rolling-restart (we can also revert it since we just decided to not include symbols, but may end up re-introduce it eventually later so idk 🤷♂️ )
There was a problem hiding this comment.
Thanks! I'll update the docs accordingly.
* Fix EntSearch readiness script * iso-8601=seconds is not a valid flag with busybox * Sanitize password string in Stackmon config * Fix TestReconcileConfig_ReadinessProbe * Update stack mon sidecar expected config * Do not include symbols for now
barkbay
added
the
exclude-from-release-notes
* Fix EntSearch readiness script * iso-8601=seconds is not a valid flag with busybox * Sanitize password string in Stackmon config * Fix TestReconcileConfig_ReadinessProbe * Update stack mon sidecar expected config * Do not include symbols for now
4 participants
Follow up of #8817
Some characters like
]or"can break some scripts or configurations.