Merge pull request #31318 from adityakali/gci53

Automatic merge from submit-queue Add validation for KUBE_USER Malformed KUBE_USER causes error in cluster setup. cc/ @kubernetes/goog-image @Q-Lee @Amey-D Can you please review?
2025-07-30 06:54:01 +00:00 · 2016-08-24 22:18:39 -07:00 · 2016-08-24 22:18:39 -07:00 · 38d3decdfb
commit 38d3decdfb
parent c63f43b329 07d98bebe8
2 changed files with 19 additions and 1 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -257,6 +257,16 @@ function load-or-gen-kube-basicauth() {
  if [[ -z "${KUBE_USER:-}" || -z "${KUBE_PASSWORD:-}" ]]; then
    gen-kube-basicauth
  fi
+
+  # Make sure they don't contain any funny characters.
+  if ! [[ "${KUBE_USER}" =~ ^[-._@a-zA-Z0-9]+$ ]]; then
+    echo "Bad KUBE_USER string."
+    exit 1
+  fi
+  if ! [[ "${KUBE_PASSWORD}" =~ ^[-._@#%/a-zA-Z0-9]+$ ]]; then
+    echo "Bad KUBE_PASSWORD string."
+    exit 1
+  fi
 }

 function load-or-gen-kube-bearertoken() {
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -755,7 +755,7 @@ function start-kube-apiserver {
  if [[ -n "${KUBE_USER:-}" ]]; then
    local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
    remove-salt-config-comments "${abac_policy_json}"
-    sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
+    sed -i -e "s/{{kube_user}}/${KUBE_USER}/g" "${abac_policy_json}"
    cp "${abac_policy_json}" /etc/srv/kubernetes/
  fi

@ -1115,6 +1115,14 @@ if [[ ! -e "${KUBE_HOME}/kube-env" ]]; then
 fi

 source "${KUBE_HOME}/kube-env"
+
+if [[ -n "${KUBE_USER:-}" ]]; then
+  if ! [[ "${KUBE_USER}" =~ ^[-._@a-zA-Z0-9]+$ ]]; then
+    echo "Bad KUBE_USER format."
+    exit 1
+  fi
+fi
+
 config-ip-firewall
 create-dirs
 ensure-local-ssds