91 lines
3.8 KiB
Diff
91 lines
3.8 KiB
Diff
From 4d467b14363d800b2185b89790d57871f11ea88c Mon Sep 17 00:00:00 2001
|
|
From: James Falcon <james.falcon@canonical.com>
|
|
Date: Wed, 29 Jun 2022 17:27:44 -0500
|
|
Subject: [PATCH] Remove schema errors from log (#1551)
|
|
|
|
When schema errors are encountered, the section of userdata in question
|
|
gets printed to the cloud-init log. As this could contain sensitive
|
|
data, so log a generic warning instead and redirect user to run
|
|
cloud-init schema --system as root.
|
|
|
|
LP: #1978422
|
|
CVE: 2022-2084
|
|
---
|
|
cloudinit/config/schema.py | 15 ++++++++++++---
|
|
tests/unittests/test_handler/test_schema.py | 17 +++++++++++++++++
|
|
2 files changed, 29 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/cloudinit/config/schema.py b/cloudinit/config/schema.py
|
|
index 456bab2..a1e1a54 100644
|
|
--- a/cloudinit/config/schema.py
|
|
+++ b/cloudinit/config/schema.py
|
|
@@ -72,7 +72,7 @@ def is_schema_byte_string(checker, instance):
|
|
isinstance(instance, (bytes,)))
|
|
|
|
|
|
-def validate_cloudconfig_schema(config, schema, strict=False):
|
|
+def validate_cloudconfig_schema(config, schema, strict=False, log_details=True):
|
|
"""Validate provided config meets the schema definition.
|
|
|
|
@param config: Dict of cloud configuration settings validated against
|
|
@@ -81,6 +81,9 @@ def validate_cloudconfig_schema(config, schema, strict=False):
|
|
for the cloud config module (config.cc_*).
|
|
@param strict: Boolean, when True raise SchemaValidationErrors instead of
|
|
logging warnings.
|
|
+ @param log_details: Boolean, when True logs details of validation errors.
|
|
+ If there are concerns about logging sensitive userdata, this should
|
|
+ be set to False.
|
|
|
|
@raises: SchemaValidationError when provided config does not validate
|
|
against the provided schema.
|
|
@@ -118,10 +121,16 @@ def validate_cloudconfig_schema(config, schema, strict=False):
|
|
errors += ((path, error.message),)
|
|
if errors:
|
|
if strict:
|
|
+ # This could output/log sensitive data
|
|
raise SchemaValidationError(errors)
|
|
- else:
|
|
+ if log_details:
|
|
messages = ['{0}: {1}'.format(k, msg) for k, msg in errors]
|
|
- logging.warning('Invalid config:\n%s', '\n'.join(messages))
|
|
+ details = "\n" + "\n".join(messages)
|
|
+ else:
|
|
+ details = (
|
|
+ "Please run 'sudo cloud-init devel schema --system' or 'cloud-init devel schema -c config-file' to see the schema errors."
|
|
+ )
|
|
+ logging.warning('Invalid config:%s', details)
|
|
|
|
|
|
def annotated_cloudconfig_file(cloudconfig, original_content, schema_errors):
|
|
diff --git a/tests/unittests/test_handler/test_schema.py b/tests/unittests/test_handler/test_schema.py
|
|
index 1dae223..5650c88 100644
|
|
--- a/tests/unittests/test_handler/test_schema.py
|
|
+++ b/tests/unittests/test_handler/test_schema.py
|
|
@@ -86,6 +86,23 @@ class ValidateCloudConfigSchemaTest(CiTestCase):
|
|
"Invalid config:\np1: -1 is not of type 'string'\n",
|
|
self.logs.getvalue())
|
|
|
|
+ @skipUnlessJsonSchema()
|
|
+ def test_validateconfig_schema_sensitive(self):
|
|
+ """When log_details=False, ensure details are omitted"""
|
|
+ schema = {
|
|
+ "properties": {"hashed_password": {"type": "string"}},
|
|
+ "additionalProperties": False,
|
|
+ }
|
|
+ validate_cloudconfig_schema(
|
|
+ {"hashed-password": "secret"},
|
|
+ schema,
|
|
+ strict=False,
|
|
+ log_details=False,
|
|
+ )
|
|
+ self.assertIn(
|
|
+ "Please run 'sudo cloud-init devel schema --system' or 'cloud-init devel schema -c config-file' to see the schema errors.",
|
|
+ self.logs.getvalue())
|
|
+
|
|
@skipUnlessJsonSchema()
|
|
def test_validateconfig_schema_emits_warning_on_missing_jsonschema(self):
|
|
"""Warning from validate_cloudconfig_schema when missing jsonschema."""
|
|
--
|
|
2.33.0
|
|
|