Adding validation for Lustre post mount parameters

Author: dhananjay-ng

pkg/csi-util/lustre_lnet_helper.go

@@ -364,3 +364,48 @@ func (ls *LnetService) ApplyLustreParameters(logger *zap.SugaredLogger, lustrePa
 	logger.Infof("Successfully applied lustre parameters.")
 	return nil
 }
+
+func isValidLustreParam(param string) bool {
+	// Check for no spaces
+	if strings.Contains(param, " ") {
+		return false
+	}
+	// List of forbidden characters
+	forbiddenChars := []string{";", "&", "|", "<", ">", "(", ")", "`", "'", "\""}
+	for _, char := range forbiddenChars {
+		if strings.Contains(param, char) {
+			return false
+		}
+	}
+	return true
+}
+func  ValidateLustreParameters(logger *zap.SugaredLogger, lustreParamsJson string) error {
+	if lustreParamsJson == "" {
+		logger.Debug("No lustre parameters specified.")
+		return nil
+	}
+	var lustreParams []Parameter
+
+	err := json.Unmarshal([]byte(lustreParamsJson), &lustreParams)
+
+	if err != nil {
+		return err
+	}
+
+	var invalidParams []string
+
+	for _, param := range lustreParams {
+		for key, value := range param {
+			logger.Infof("Validating lustre param %s=%s", key, fmt.Sprintf("%v", value))
+			if !isValidLustreParam(key) || !isValidLustreParam(fmt.Sprintf("%v", value)) {
+				invalidParams = append(invalidParams, fmt.Sprintf("%v=%v",key, value))
+			}
+		}
+	}
+	if len(invalidParams) > 0 {
+		return fmt.Errorf("%v", strings.Join(invalidParams, ","))
+	}
+	logger.Infof("Successfully validated lustre parameters.")
+	return nil
+}
+

pkg/csi-util/lustre_lnet_helper_test.go

@@ -1,6 +1,7 @@
 package csi_util
 
 import (
+	"fmt"
 	"strings"
 	"testing"
 
@@ -415,3 +416,49 @@ func TestLnetService_ApplyLustreParameters(t *testing.T) {
 		})
 	}
 }
+
+
+func TestLnetService_ValidateLustreParameters(t *testing.T) {
+	logger := zap.NewExample().Sugar()
+	tests := []struct {
+		name              string
+		lustreParamsJSON  string
+		expectedErr       error
+	}{
+		{
+			name:             "Valid Lustre Parameters Json Provided",
+			lustreParamsJSON: `[{"failover.recovery_mode":"quorum","lnet.debug":"0x200"}]`,
+			expectedErr: nil,
+		},
+		{
+			name:             "No Lustre Parameters Provided",
+			lustreParamsJSON: "",
+			expectedErr: nil,
+		},
+		{
+			name:             "Invalid Lustre Parameters Json Provided",
+			lustreParamsJSON: `invalid-json`,
+			expectedErr: fmt.Errorf("%s","invalid character 'i' looking for beginning of value"),
+		},
+		{
+			name:             "Valid and Invalid Lustre Parameters Provided",
+			lustreParamsJSON: `[{"failover.recovery_mode":"quorum","lnet.debug":"0x200","lnet.debug && ls -l | wc -l":"0x200 I am Invalid"}]`,
+			expectedErr: fmt.Errorf("%v","lnet.debug && ls -l | wc -l=0x200 I am Invalid"),
+		},
+		{
+			name:             "Invalid Lustre Parameters Provided",
+			lustreParamsJSON: `[{"failover.recovery_mode;cat /var/log/cloud-init.log":"quorum; echo Hello"}]`,
+			expectedErr: fmt.Errorf("%v","failover.recovery_mode;cat /var/log/cloud-init.log=quorum; echo Hello"),
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := ValidateLustreParameters(logger, tc.lustreParamsJSON)
+			if err != nil && !strings.EqualFold(tc.expectedErr.Error(), err.Error()) {
+				t.Errorf("ValidateLustreParameters() got = %v, want %v", err, tc.expectedErr)
+			}
+
+		})
+	}
+}

pkg/csi/driver/lustre_node.go

@@ -42,6 +42,15 @@ func (d LustreNodeDriver) NodeStageVolume(ctx context.Context, req *csi.NodeStag
 		return nil, status.Error(codes.InvalidArgument, "Invalid Volume Handle provided.")
 	}
 
+
+	d.loadCSIConfig()
+
+	if lustrePostMountParameters, exists := req.GetVolumeContext()["lustrePostMountParameters"]; exists && !isSkipLustreParams(d.csiConfig) {
+		if err := csi_util.ValidateLustreParameters(d.logger, lustrePostMountParameters); err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "Invalid lustre parameters provided : %v", err.Error())
+		}
+	}
+
 	logger := d.logger.With("volumeID", req.VolumeId)
 
 	logger.Debugf("volume context: %v", req.VolumeContext)