Added input validation on lnet label to fixing fortify command execution vuln.

Author: dhananjay-ng

pkg/csi-util/lustre_lnet_helper.go

@@ -12,7 +12,6 @@ import (
 )
 
 const (
-	CHROOT_BASH_COMMAND                   = "chroot-bash"
 	LOAD_LNET_KERNEL_MODULE_COMMAND       = "modprobe lnet"
 	CONFIGURE_LNET_KERNEL_SERVICE_COMMAND = "lnetctl lnet configure"
 	SHOW_CONFIGURED_LNET                  = "lnetctl net show --net %s"
@@ -66,9 +65,12 @@ func ValidateLustreVolumeId(lusterVolumeId string) (bool, string) {
 			return false, lnetLabel
 		}
 		lnetLabel = parts[1]
+		if !isValidShellInput(lnetLabel) {
+			return false, ""
+		}
 	}
 	//last part in volume handle which is fsname should start with "/"
-	if !strings.HasPrefix(splits[len(splits)-1], "/") {
+	if !strings.HasPrefix(splits[len(splits)-1], "/") || !isValidShellInput(splits[len(splits)-1]) {
 		return false, lnetLabel
 	}
 	return true, lnetLabel
@@ -329,7 +331,8 @@ func (ls *LnetService) IsLnetActive(logger *zap.SugaredLogger, lnetLabel string)
 }
 
 func (olc *OCILnetConfigurator) ExecuteCommandOnWorkerNode(args ...string) (string, error) {
-	command := exec.Command(CHROOT_BASH_COMMAND, args...)
+	
+	command := exec.Command("chroot-bash", args...)
 
 	output, err := command.CombinedOutput()
 
@@ -365,15 +368,15 @@ func (ls *LnetService) ApplyLustreParameters(logger *zap.SugaredLogger, lustrePa
 	return nil
 }
 
-func isValidLustreParam(param string) bool {
+func isValidShellInput(input string) bool {
 	// Check for no spaces
-	if strings.Contains(param, " ") {
+	if strings.Contains(input, " ") {
 		return false
 	}
 	// List of forbidden characters
-	forbiddenChars := []string{";", "&", "|", "<", ">", "(", ")", "`", "'", "\""}
+	forbiddenChars := []string{";", "&", "|", "<", ">", "(", ")", "`", "'", "\"","$","!"}
 	for _, char := range forbiddenChars {
-		if strings.Contains(param, char) {
+		if strings.Contains(input, char) {
 			return false
 		}
 	}
@@ -397,7 +400,7 @@ func  ValidateLustreParameters(logger *zap.SugaredLogger, lustreParamsJson strin
 	for _, param := range lustreParams {
 		for key, value := range param {
 			logger.Infof("Validating lustre param %s=%s", key, fmt.Sprintf("%v", value))
-			if !isValidLustreParam(key) || !isValidLustreParam(fmt.Sprintf("%v", value)) {
+			if !isValidShellInput(key) || !isValidShellInput(fmt.Sprintf("%v", value)) {
 				invalidParams = append(invalidParams, fmt.Sprintf("%v=%v",key, value))
 			}
 		}

pkg/csi-util/lustre_lnet_helper_test.go

@@ -18,19 +18,22 @@ func TestValidateLustreVolumeId(t *testing.T) {
 	}{
 		// Valid cases
 		{"192.168.227.11@tcp1:192.168.227.12@tcp1:/demo", true, "tcp1"},
-		{"192.168.227.11@tcp1:/demo", true,"tcp1"},
+		{"192.168.227.11@tcp1:/demo", true, "tcp1"},
+		{"192.168.227.11@tcp1 & rm -rf /:192.168.227.12@tcp1:/demo", false, ""},
+		{"192.168.227.11@tcp1:192.168.227.12@tcp1:/demo & rm -rf", false, "tcp1"},
+		{"192.168.227.11@tcp1:/demo", true, "tcp1"},
 		// Invalid cases
-		{"192.168.227.11@tcp1:192.168.227.12@tcp1", false,"tcp1"}, // No fsname provided
-		{"192.168.227.11@tcp1:192.168.227.12@tcp1:demo", false,"tcp1"}, // fsname not starting with "/"
-		{"invalidip@tcp1:192.168.227.12@tcp1:/demo", false,""},  // Invalid IP address
-		{"192.168.227.11@tcp1:invalidip@tcp1:/demo", false,"tcp1"},  // Invalid IP address
-		{"192.168.227.11@:192.168.227.12@:tcp1/demo", false, ""}, // No Lnet label provided
-		{"192.168.227.11@tcp1:192.168.227.12:/demo", false, "tcp1"}, // No Lnet label provided in 2nd MGS NID
+		{"192.168.227.11@tcp1:192.168.227.12@tcp1", false, "tcp1"},      // No fsname provided
+		{"192.168.227.11@tcp1:192.168.227.12@tcp1:demo", false, "tcp1"}, // fsname not starting with "/"
+		{"invalidip@tcp1:192.168.227.12@tcp1:/demo", false, ""},         // Invalid IP address
+		{"192.168.227.11@tcp1:invalidip@tcp1:/demo", false, "tcp1"},     // Invalid IP address
+		{"192.168.227.11@:192.168.227.12@:tcp1/demo", false, ""},        // No Lnet label provided
+		{"192.168.227.11@tcp1:192.168.227.12:/demo", false, "tcp1"},     // No Lnet label provided in 2nd MGS NID
 		// Empty input
-		{"", false,""},
+		{"", false, ""},
 
 		// Single IP
-		{"192.168.227.11", false,""}, // Missing ":" in the input
+		{"192.168.227.11", false, ""}, // Missing ":" in the input
 	}
 
 	for _, test := range tests {
@@ -53,7 +56,6 @@ type FakeConfigurator struct {
 	ExecuteCommandOnWorkerNodeFunc      func(args ...string) (string, error)
 }
 
-
 func (f *FakeConfigurator) GetNetInterfacesInSubnet(subnetCIDR string) ([]NetInterface, error) {
 	return f.GetNetInterfacesInSubnetFunc(subnetCIDR)
 }
@@ -128,9 +130,13 @@ func TestLnetService_SetupLnet_TableDriven(t *testing.T) {
 				// These functions are not used in this case.
 				IsLustreClientPackagesInstalledFunc: func(logger *zap.SugaredLogger) bool { return true },
 				ExecuteCommandOnWorkerNodeFunc:      func(args ...string) (string, error) { return "ok", nil },
-				GetLnetInfoByLnetLabelFunc:           func(lnetLabel string) (NetInfo, error) { return NetInfo{}, nil },
-				ConfigureLnetFunc:                    func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo) error { return nil },
-				VerifyLnetConfigurationFunc:          func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo, err error) error { return nil },
+				GetLnetInfoByLnetLabelFunc:          func(lnetLabel string) (NetInfo, error) { return NetInfo{}, nil },
+				ConfigureLnetFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo) error {
+					return nil
+				},
+				VerifyLnetConfigurationFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo, err error) error {
+					return nil
+				},
 			},
 			expectedErrSubstr: "No VNIC identified on worker node to configure lnet.",
 		},
@@ -179,9 +185,13 @@ func TestLnetService_SetupLnet_TableDriven(t *testing.T) {
 					}
 					return "ok", nil
 				},
-				GetLnetInfoByLnetLabelFunc:  func(lnetLabel string) (NetInfo, error) { return NetInfo{}, nil },
-				ConfigureLnetFunc:           func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo) error { return nil },
-				VerifyLnetConfigurationFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo, err error) error { return nil },
+				GetLnetInfoByLnetLabelFunc: func(lnetLabel string) (NetInfo, error) { return NetInfo{}, nil },
+				ConfigureLnetFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo) error {
+					return nil
+				},
+				VerifyLnetConfigurationFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo, err error) error {
+					return nil
+				},
 			},
 			expectedErrSubstr: "Failed to load lnet kernel module with error : loading lnet module failed. Please make sure that lustre client packages are installed on worker nodes.",
 		},
@@ -200,9 +210,13 @@ func TestLnetService_SetupLnet_TableDriven(t *testing.T) {
 					}
 					return "ok", nil
 				},
-				GetLnetInfoByLnetLabelFunc:  func(lnetLabel string) (NetInfo, error) { return NetInfo{}, nil },
-				ConfigureLnetFunc:           func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo) error { return nil },
-				VerifyLnetConfigurationFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo, err error) error { return nil },
+				GetLnetInfoByLnetLabelFunc: func(lnetLabel string) (NetInfo, error) { return NetInfo{}, nil },
+				ConfigureLnetFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo) error {
+					return nil
+				},
+				VerifyLnetConfigurationFunc: func(logger *zap.SugaredLogger, ifaces []NetInterface, lnetLabel string, netInfo NetInfo, err error) error {
+					return nil
+				},
 			},
 			expectedErrSubstr: "Failed to configure lnet kernel service with error : lnet service configuration failed. Please make sure that lustre client packages are installed on worker nodes.",
 		},
@@ -289,9 +303,9 @@ func TestLnetService_SetupLnet_TableDriven(t *testing.T) {
 func TestLnetService_IsLnetActive_TableDriven(t *testing.T) {
 	logger := zap.NewExample().Sugar()
 	tests := []struct {
-		name         string
-		lnetLabel    string
-		fakeGetInfo  func(lnetLabel string) (NetInfo, error)
+		name           string
+		lnetLabel      string
+		fakeGetInfo    func(lnetLabel string) (NetInfo, error)
 		expectedActive bool
 	}{
 		{
@@ -367,10 +381,10 @@ func TestLnetService_IsLnetActive_TableDriven(t *testing.T) {
 func TestLnetService_ApplyLustreParameters(t *testing.T) {
 	logger := zap.NewExample().Sugar()
 	tests := []struct {
-		name              string
-		lustreParamsJSON  string
-		fakeExec          func(args ...string) (string, error)
-		expectedErr       bool
+		name             string
+		lustreParamsJSON string
+		fakeExec         func(args ...string) (string, error)
+		expectedErr      bool
 	}{
 		{
 			name:             "Valid Lustre Parameters Json Provided",
@@ -417,38 +431,37 @@ func TestLnetService_ApplyLustreParameters(t *testing.T) {
 	}
 }
 
-
 func TestLnetService_ValidateLustreParameters(t *testing.T) {
 	logger := zap.NewExample().Sugar()
 	tests := []struct {
-		name              string
-		lustreParamsJSON  string
-		expectedErr       error
+		name             string
+		lustreParamsJSON string
+		expectedErr      error
 	}{
 		{
 			name:             "Valid Lustre Parameters Json Provided",
 			lustreParamsJSON: `[{"failover.recovery_mode":"quorum","lnet.debug":"0x200"}]`,
-			expectedErr: nil,
+			expectedErr:      nil,
 		},
 		{
 			name:             "No Lustre Parameters Provided",
 			lustreParamsJSON: "",
-			expectedErr: nil,
+			expectedErr:      nil,
 		},
 		{
 			name:             "Invalid Lustre Parameters Json Provided",
 			lustreParamsJSON: `invalid-json`,
-			expectedErr: fmt.Errorf("%s","invalid character 'i' looking for beginning of value"),
+			expectedErr:      fmt.Errorf("%s", "invalid character 'i' looking for beginning of value"),
 		},
 		{
 			name:             "Valid and Invalid Lustre Parameters Provided",
 			lustreParamsJSON: `[{"failover.recovery_mode":"quorum","lnet.debug":"0x200","lnet.debug && ls -l | wc -l":"0x200 I am Invalid"}]`,
-			expectedErr: fmt.Errorf("%v","lnet.debug && ls -l | wc -l=0x200 I am Invalid"),
+			expectedErr:      fmt.Errorf("%v", "lnet.debug && ls -l | wc -l=0x200 I am Invalid"),
 		},
 		{
 			name:             "Invalid Lustre Parameters Provided",
 			lustreParamsJSON: `[{"failover.recovery_mode;cat /var/log/cloud-init.log":"quorum; echo Hello"}]`,
-			expectedErr: fmt.Errorf("%v","failover.recovery_mode;cat /var/log/cloud-init.log=quorum; echo Hello"),
+			expectedErr:      fmt.Errorf("%v", "failover.recovery_mode;cat /var/log/cloud-init.log=quorum; echo Hello"),
 		},
 	}
 

pkg/csi/driver/lustre_node.go

@@ -158,6 +158,7 @@ func (d LustreNodeDriver) loadCSIConfig() {
 
 
 func (d LustreNodeDriver) NodeUnstageVolume(ctx context.Context, req *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error) {
+
 	if req.VolumeId == "" {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID must be provided")
 	}
@@ -253,7 +254,10 @@ func (d LustreNodeDriver) NodePublishVolume(ctx context.Context, req *csi.NodePu
 	logger := d.logger.With("volumeID", req.VolumeId)
 	logger.Debugf("volume context: %v", req.VolumeContext)
 
-	_, lnetLabel := csi_util.ValidateLustreVolumeId(req.VolumeId)
+	isValidVolumeId, lnetLabel := csi_util.ValidateLustreVolumeId(req.VolumeId)
+	if !isValidVolumeId {
+		return nil, status.Error(codes.InvalidArgument, "Invalid Volume Handle provided.")
+	}
 
 	//Lnet Setup
 	if setupLnet, ok := req.GetVolumeContext()[SetupLnet]; ok && setupLnet == "true" {
@@ -324,6 +328,7 @@ func (d LustreNodeDriver) NodePublishVolume(ctx context.Context, req *csi.NodePu
 }
 
 func (d LustreNodeDriver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
+
 	if req.VolumeId == "" {
 		return nil, status.Error(codes.InvalidArgument, "NodeUnpublishVolume: Volume ID must be provided")
 	}