github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-26 07:22:20 +00:00
Code Issues Projects Releases Wiki Activity

agent: valid envs for hooks

Browse Source 
Envs contain null-byte will cause running hooks to panic,
this commit will filter envs and only pass valid envs to hooks.

Fixes: #3667

Signed-off-by: bin <bin@hyper.sh>
This commit is contained in:
bin 2022-02-15 11:51:23 +08:00 committed by Samuel Ortiz
parent a3b3274121
commit 80e8dbf1f5
1 changed files with 8 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/agent/rustjail/src/container.rs
View File

@ -1488,14 +1488,9 @@ async fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
if args.len() > 1 {
args.remove(0);
}
let env: HashMap<String, String> = h
.env
.iter()
.map(|e| {
let v: Vec<&str> = e.split('=').collect();
(v[0].to_string(), v[1].to_string())
})
.collect();
// all invalid envs will be ommit, only valid envs will be passed to hook.
let env: HashMap<&str, &str> = h.env.iter().filter_map(|e| valid_env(e)).collect();
// Avoid the exit signal to be reaped by the global reaper.
let _wait_locker = WAIT_PID_LOCKER.lock().await;
@ -1506,8 +1501,7 @@ async fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()
.unwrap();
.spawn()?;
// default timeout 10s
let mut timeout: u64 = 10;
@ -1647,13 +1641,16 @@ mod tests {
let touch = which("touch").await;
defer!(fs::remove_file(temp_file).unwrap(););
let invalid_str = vec![97, b'\0', 98];
let invalid_string = std::str::from_utf8(&invalid_str).unwrap();
let invalid_env = format!("{}=value", invalid_string);
execute_hook(
&slog_scope::logger(),
&Hook {
path: touch,
args: vec!["touch".to_string(), temp_file.to_string()],
env: vec![],
env: vec![invalid_env],
timeout: Some(10),
},
&OCIState {