openstack/trove
Code Issues Proposed changes

Fix illegal shell characters

Browse Source 
This change checks if the user input is legal.
if illegal, we raise an InvalidValue excepiton.

Story: 2010004
Task: 45128

Change-Id: Ib81646b8f8a01fcbc31d033ec205491b76a7b755
This commit is contained in:
wu.chunyang 2022-09-06 21:03:25 +08:00 committed by wu.chunyang
parent af1db229b9
commit 0ec4d0487b
5 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
releasenotes/notes/fix-illegal-value-be1acadc8c54c224.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
check if the user input is legal, currently, trove may have a
RCE vulnerability. more details see:
`Stroy 2010004 <https://storyboard.openstack.org/#!/story/2010004>`__

3
trove/backup/service.py
View File

@ -88,6 +88,9 @@ class BackupController(wsgi.Controller):
swift_container = data.get('swift_container') swift_container = data.get('swift_container')
restore_from = data.get('restore_from') restore_from = data.get('restore_from')
if swift_container:
utils.validate_command(swift_container)
context.notification = notification.DBaaSBackupCreate( context.notification = notification.DBaaSBackupCreate(
context, request=req) context, request=req)

4
trove/common/exception.py
View File

@ -61,6 +61,10 @@ class InvalidRPCConnectionReuse(TroveError):
message = _("Invalid RPC Connection Reuse.") message = _("Invalid RPC Connection Reuse.")
class InvalidValue(TroveError):
message = _("The value is not allowed: %(value)s.")
class NotFound(TroveError): class NotFound(TroveError):
message = _("Resource %(uuid)s cannot be found.") message = _("Resource %(uuid)s cannot be found.")

11
trove/common/utils.py
View File

@ -17,6 +17,7 @@
from collections import abc from collections import abc
import inspect import inspect
import os import os
import shlex
import shutil import shutil
import uuid import uuid
import urllib.parse as urlparse import urllib.parse as urlparse
@ -423,3 +424,13 @@ def req_to_text(req):
parts.extend([b'', safe_encode(req.body)]) parts.extend([b'', safe_encode(req.body)])
return b'\r\n'.join(parts).decode(req.charset) return b'\r\n'.join(parts).decode(req.charset)
def validate_command(string):
"""
Check if the string is legal for command
raise invalidvalue if illegal
"""
if string != shlex.quote(string):
raise exception.InvalidValue(value=string)

16
trove/tests/unittests/common/test_utils.py
View File

@ -186,3 +186,19 @@ class TestUtils(trove_testtools.TestCase):
expected = ('GET / HTTP/1.0\r\nHost: localhost:80\r\n' expected = ('GET / HTTP/1.0\r\nHost: localhost:80\r\n'
'X-Auth-Project-Id: \u6d4b\u8bd5') 'X-Auth-Project-Id: \u6d4b\u8bd5')
self.assertEqual(expected, utils.req_to_text(req)) self.assertEqual(expected, utils.req_to_text(req))
def test_validate_command(self):
string1 = "hello_world"
string2 = "hello world"
string3 = "hello@world_123"
string4 = "example.com/databse/mysql:5.7"
string5 = 'test --db-user="$(touch /rce_successful.txt)"'
self.assertIsNone(utils.validate_command(string1))
self.assertRaises(exception.InvalidValue,
utils.validate_command,
string2)
self.assertIsNone(utils.validate_command(string3))
self.assertIsNone(utils.validate_command(string4))
self.assertRaises(exception.InvalidValue,
utils.validate_command,
string5)