From 6488e89f960151f7887bf7701a39c6c07a1195bb Mon Sep 17 00:00:00 2001 From: Patrick Rhomberg Date: Thu, 12 Nov 2020 00:28:30 +0000 Subject: [PATCH 1/3] Update config for go-flow-levee analysis * Remove \b boundary for sinks; Unicode backspace \b != regexp boundary \b. * Specify those source type fields that have not yet been tagged. * Add exclusions for current false-positive set. --- hack/testdata/levee/levee-config.yaml | 162 +++++++++++++++++++++----- 1 file changed, 131 insertions(+), 31 deletions(-) diff --git a/hack/testdata/levee/levee-config.yaml b/hack/testdata/levee/levee-config.yaml index d2256ec1cec..53d0c0fce5d 100644 --- a/hack/testdata/levee/levee-config.yaml +++ b/hack/testdata/levee/levee-config.yaml @@ -1,3 +1,17 @@ +# Copyright 2015 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee. # It defines sources which may contain credentials and sinks where these should not be logged. # Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element. @@ -5,7 +19,9 @@ # False positives may be suppressed in the Exclude block. # Note that `*RE` keys have regexp values. --- -# These field tags were introduced by KEP-1753 to fields which may contain credentials +# TODO Refer to documentation link + +# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials FieldTags: - Key: "datapolicy" Val: "security-key" @@ -17,44 +33,128 @@ FieldTags: # This preliminary collection of source types should be removed once # KEP-1753 adds tags to the relevant fields. Sources: - - PackageRE: "" - TypeRE: "^(?:admin)?Secret$|Token" - FieldRE: "" - - PackageRE: "k8s.io/client-go/tools/clientcmd/api(?:/v1)?" - TypeRE: "^(?:Named)?AuthInfo$" - FieldRE: "" - - PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" - TypeRE: "DockerConfigEntry" - FieldRE: "Password" - - PackageRE: "k8s.io/client-go/transport" - TypeRE: "requestInfo" - FieldRE: "RequestHeaders" - - PackageRE: "k8s.io/kubernetes/pkg/volume/rbd" - TypeRE: "rbdMounter" - FieldRE: "adminSecret" - - PackageRE: "^k8s.io/client-go/rest$" - TypeRE: "^TLSClientConfig$" - FieldRE: "Password|BearerToken$|" - - PackageRE: "^k8s.io/client-go/rest$" - TypeRE: "^Config$" - FieldRE: "Password|BearerToken$|" +# The following fields are tagged in #95994 +- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere" + TypeRE: "Config" + FieldRE: "Password" +- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere" + TypeRE: "ConfigFile" + FieldRE: "Global" # Global is of unnamed type, contains the field Password. + +# The following fields are tagged in #95997 +- PackageRE: "k8s.io/kubelet/config/v1beta1" + TypeRE: "KubeletConfiguration" + FieldRE: "StaticPodURLHeader" + +# The following fields are tagged in #95998 +- PackageRE: "k8s.io/kube-scheduler/config/v1" + TypeRE: "ExtenderTLSConfig" + FieldRE: "KeyData" + +# The following fields are tagged in #95600 +- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" + TypeRE: "AuthConfig" + FieldRE: "Password|IdentityToken|RegistryToken" + +# The following fields are tagged in #96002 +- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions + TypeRE: "TLSConfig" + FieldRE: "ClientKey" +- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions + TypeRE: "Key" + FieldRE: "Secret" +- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest" + TypeRE: "requestHeaderBundle" + FieldRE: "UsernameHeaders|GroupHeaders" +- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates" + TypeRE: "certKeyContent" + FieldRE: "key" +- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates" + TypeRE: "DynamicCertKeyPairContent" + FieldRE: "certKeyPair" +- PackageRE: "k8s.io/apiserver/pkg/server/options" + TypeRE: "RequestHeaderAuthenticationOptions" + FieldRE: "UsernameHeaders|GroupHeaders" +- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" + TypeRE: "endpoint" + FieldRE: "AccessToken" + +# The following fields are tagged in #96003 +- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions" + TypeRE: "ConfigFlags" + FieldRE: "BearerToken|Password" + +# The following fields are tagged in #96004 +- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config" + TypeRE: "KubeletConfiguration" + FieldRE: "StaticPodURLHeader" +- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client" + TypeRE: "KubeletClientConfig" + FieldRE: "BearerToken" +- PackageRE: "k8s.io/kubernetes/pkg/kubelet/cri/streaming" + TypeRE: "cacheEntry" + FieldRE: "token" + +# The following fields are tagged in #96005 +- PackageRE: "k8s.io/api/authentication/v1" + TypeRE: "TokenReviewSpec|TokenRequestStatus" + FieldRE: " Token" +- PackageRE: "k8s.io/api/authentication/v1beta1" + TypeRE: "TokenReviewSpec" + FieldRE: " Token" + +# The following fields are tagged in #96007 +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure" + TypeRE: "acrAuthResponse" + FieldRE: "RefreshToken" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "DockerConfigEntry" + FieldRE: "Password" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "DockerConfigJSON" + FieldRE: "Auths|HTTPHeaders" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "dockerConfigEntryWithAuth" + FieldRE: "Password|Auth" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp" + TypeRE: "tokenBlob" + FieldRE: "AccessToken" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "AuthConfig" + FieldRE: "Password|Auth|IdentityToken|RegistryToken" + +# The following fields are tagged in #96008 +- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority" + TypeRE: "CertificateAuthority" + FieldRE: "RawKey" # Sinks are functions that should not be called with source or source-tainted arguments. # This configuration should capture all log unfiltered log calls. Sinks: - - PackageRE: "\bk?log\b" - ReceiverRE: "" - MethodRE: "Info|Warning|Error|Fatal|Exit" - - PackageRE: "\bk?log\b" - ReceiverRE: "Verbose" - MethodRE: "Info|Error" +- PackageRE: "k?log" + # Empty regexp receiver will match both top-level klog functions and klog.Verbose methods. + ReceiverRE: "" + MethodRE: "Info|Warning|Error|Fatal|Exit" # Sanitizers permit a source to reach a sink by explicitly removing the source data. Sanitizers: - - PackageRE: "k8s.io/client-go/transport" - MethodRE: "maskValue" +# maskValue strips bearer tokens from request headers +- PackageRE: "k8s.io/client-go/transport" + MethodRE: "maskValue" # False positives may be suppressed here. # Exclude reporting within a given function by specifying it similar to Sinks, i.e., # PackageRE | ReceiverRE | MethodRE regexp -Exclude: [] +Exclude: +# Corrected in +- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app" + # Regexp matches anonymized inner function + MethodRE: "initConfigz|NewKubeletCommand|run" +# Corrected by go-flow-levee version update in +- PackageRE: "pkg/credentialprovider" + ReceiverRE: "BasicDockerKeyring" + MethodRE: "Add" +# Corrected in #96576. +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp" + ReceiverRE: "containerRegistryProvider" + MethodRE: "Provide" From 66c54ffc43b5fdcc097a057822f15d7d6cf3aeab Mon Sep 17 00:00:00 2001 From: Patrick Rhomberg Date: Fri, 4 Dec 2020 22:39:36 +0000 Subject: [PATCH 2/3] Refer to KEP rather than directly to documentation link. --- hack/testdata/levee/levee-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/testdata/levee/levee-config.yaml b/hack/testdata/levee/levee-config.yaml index 53d0c0fce5d..c363010d7b0 100644 --- a/hack/testdata/levee/levee-config.yaml +++ b/hack/testdata/levee/levee-config.yaml @@ -18,8 +18,9 @@ # Sanitizers permit sources to safely reach a sink. # False positives may be suppressed in the Exclude block. # Note that `*RE` keys have regexp values. + +# For additional details, see KEP-1933. --- -# TODO Refer to documentation link # These field tags were introduced by KEP-1753 to indicate fields which may contain credentials FieldTags: From a3d483e965433b35d321c89c0f3f462610d81822 Mon Sep 17 00:00:00 2001 From: Patrick Rhomberg Date: Fri, 4 Dec 2020 22:42:18 +0000 Subject: [PATCH 3/3] Update cross-referencing for PRs. --- hack/testdata/levee/levee-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hack/testdata/levee/levee-config.yaml b/hack/testdata/levee/levee-config.yaml index c363010d7b0..8310855138b 100644 --- a/hack/testdata/levee/levee-config.yaml +++ b/hack/testdata/levee/levee-config.yaml @@ -147,11 +147,11 @@ Sanitizers: # Exclude reporting within a given function by specifying it similar to Sinks, i.e., # PackageRE | ReceiverRE | MethodRE regexp Exclude: -# Corrected in +# Corrected in #97000 - PackageRE: "k8s.io/kubernetes/cmd/kubelet/app" # Regexp matches anonymized inner function MethodRE: "initConfigz|NewKubeletCommand|run" -# Corrected by go-flow-levee version update in +# Corrected by go-flow-levee version update in #96999 - PackageRE: "pkg/credentialprovider" ReceiverRE: "BasicDockerKeyring" MethodRE: "Add"